HestiaCP IP Spoofing Vulnerability Bypasses Auth Controls

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-348
HestiaCP IP Spoofing Vulnerability Bypasses Auth Controls

The National Vulnerability Database has detailed CVE-2026-43634, a high-severity IP spoofing vulnerability impacting HestiaCP versions 1.2.0 through 1.9.4. This flaw allows unauthenticated remote attackers to bypass critical authentication security controls. The core issue lies in HestiaCP’s failure to properly validate the CF-Connecting-IP HTTP header, allowing an attacker to supply an arbitrary IP address without verifying the request originates from Cloudflare’s trusted network.

Attackers can leverage this vulnerability to circumvent fail2ban brute-force protections, bypass per-user IP allowlists, and poison authentication audit logs. By spoofing trusted IP addresses on each request, they can mask their true origin and make it significantly harder for defenders to detect and respond to malicious activity. The CVSSv3.1 score is 7.5 (HIGH), reflecting the significant impact on integrity without requiring authentication.

This isn’t just a theoretical bypass; it’s a fundamental breakdown of trust. When an attacker can dictate the source IP, all IP-based security mechanisms become moot. Defenders relying on fail2ban or IP allowlists for HestiaCP instances are essentially operating without those controls if this vulnerability isn’t addressed.

What This Means For You

  • If your organization uses HestiaCP, immediately check your version. Any instance running 1.2.0 through 1.9.4 is exposed to this critical IP spoofing vulnerability. Patching is paramount, but also review your security architecture to ensure that IP trust boundaries are enforced at the network edge, not just at the application layer. Audit your HestiaCP authentication logs for any suspicious activity where source IPs appear to be internal or whitelisted, but the login attempts are abnormal.

Indicators of Compromise

IDTypeIndicator
CVE-2026-43634 Vulnerability CVE-2026-43634

Written by SCW Vulnerability Desk

🔎
Track HestiaCP Vulnerabilities Use /brief to get the latest analyst-ready threat summary including high-severity vulnerabilities like CVE-2026-43634.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma