CVE-2026-44161: Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

June 26, 2026

The out_http output plugin allows the use of placeholders (such as ${tag}) in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by Fluentd.

References

github.com/advisories/GHSA-72f5-rr8c-r6gr
github.com/fluent/fluentd/releases/tag/v1.19.3
github.com/fluent/fluentd/security/advisories/GHSA-72f5-rr8c-r6gr
nvd.nist.gov/vuln/detail/CVE-2026-44161

Code Behaviors & Features

Detect and mitigate CVE-2026-44161 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →