Home

Description

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

PUBLISHED Reserved 2026-05-01 | Published 2026-05-19 | Updated 2026-05-19 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Problem types

Use of Less Trusted Source

Product status

Default status
affected

1.2.0 (semver)
affected

f381e294500f671cf12716c638afd0bfde901f88 (git)
unaffected

Credits

sutol finder

divinity76 remediation developer

References

mercuryiss.com.au/...-spoofing-cve-2026-43633-cve-2026-43634 technical-description exploit

github.com/hestiacp/hestiacp/issues/5229 issue-tracking

github.com/hestiacp/hestiacp/pull/5273 issue-tracking

github.com/...ommit/f381e294500f671cf12716c638afd0bfde901f88 patch

www.vulncheck.com/...ip-spoofing-via-cf-connecting-ip-header third-party-advisory

cve.org (CVE-2026-43634)

nvd.nist.gov (CVE-2026-43634)

Download JSON