CVE ID: CVE-2026-43634
Published: May 19, 2026, 3:16 p.m.
Description: HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
https://cvefeed.io/vuln/detail/CVE-2026-43634
CVE-2026-43634 - HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
-
Starburst-David
- Posts: 53
- Joined: Wed Feb 11, 2026 8:31 pm