HIGHCVE-2026-43634Published Modified CNA VulnCheck
CVE-2026-43634: HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- f381e294500f671cf12716c638afd0bfde901f88
- Affected Products
- 1
Affected packages
- hestiacp / hestiacp≤ 1.9.4Fixed in f381e294500f671cf12716c638afd0bfde901f88
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N