CVE-2026-43634
HIGHHestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
Title source: cnaDescription
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
References (5)
Core 5
Core References
Exploit technical-description
exploit
https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
Issue Tracking issue-tracking
https://github.com/hestiacp/hestiacp/issues/5229
Issue Tracking issue-tracking
https://github.com/hestiacp/hestiacp/pull/5273
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
Scores
CVSS v3
7.5
EPSS
0.0006
EPSS Percentile
18.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-348
Status
published
Products (2)
hestiacp/hestiacp
1.2.0 - 1.9.4
hestiacp/hestiacp
f381e294500f671cf12716c638afd0bfde901f88
Published
May 19, 2026
Tracked Since
May 19, 2026