<Vulnerability name="CVE-2026-44024">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-08T21:20:29</PublicDate>
    <Bugzilla id="2498282" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498282" xml:lang="en:us">
fluentd: Fluentd: Remote Code Execution via arbitrary file write due to insufficient tag validation
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>9.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-22</CWE>
    <Details xml:lang="en:us" source="Mitre">
Fluentd collects events from various data sources and writes them to files, RDBMS, NoSQL, IaaS, SaaS, Hadoop and so on. Prior to 1.19.3, Fluentd allows dynamically constructing file paths using the ${tag} placeholder, and insufficient validation of ${tag} in file configurations such as the path parameter of the out_file plugin allows attackers sending untrusted tags containing path traversal characters to write or overwrite arbitrary files and potentially achieve remote code execution. This issue is fixed in version 1.19.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Fluentd, a data collector. This vulnerability allows a remote attacker to achieve arbitrary file write and potentially remote code execution by sending untrusted tags containing path traversal characters. The issue arises from insufficient validation of the ${tag} placeholder in file configurations, such as the path parameter of the out_file plugin. Successful exploitation could lead to a full system compromise without authentication, depending on the Fluentd configuration and its process privileges.
    </Details>
    <Statement xml:lang="en:us">
Red Hat has determined that no Red Hat product is currently affected by this vulnerability. Exploitation requires a Fluentd deployment configured with an output plugin, such as out_file, that constructs file paths dynamically from the ${tag} placeholder, combined with the ability for an attacker to submit untrusted, attacker-influenced tags to that Fluentd instance (for example, via an exposed forward or HTTP input). Deployments that do not accept externally influenced tags, or that do not use tag-based dynamic path construction in output plugin configuration, are not exposed to this issue in practice. Red Hat has completed a portfolio-wide search for Fluentd across Red Hat product offerings (strict and substring dependency search) and found no currently supported Red Hat product that ships the vulnerable code path.
    </Statement>
    <Mitigation xml:lang="en:us">
Upgrade to Fluentd 1.19.3 or later, which validates the ${tag} placeholder in output plugin path configuration and rejects path traversal characters. Where an immediate upgrade is not possible: avoid using the ${tag} placeholder in file-path-based output plugin configuration (such as the path parameter of out_file); if dynamic tag-based paths are required, restrict allowed tag values with an explicit allowlist/regex filter (for example via a &lt;filter&gt; directive) before they reach the output plugin; and ensure only trusted sources can submit tags to the Fluentd instance by not exposing its forward or HTTP input directly to untrusted networks.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-44024
https://nvd.nist.gov/vuln/detail/CVE-2026-44024
https://github.com/fluent/fluentd/commit/45c87a81f3ac0b72b3f9dcfe8cfb5f9038f81437
https://github.com/fluent/fluentd/pull/5391
https://github.com/fluent/fluentd/releases/tag/v1.19.3
https://github.com/fluent/fluentd/security/advisories/GHSA-44hj-4m45-frj3
    </References>
</Vulnerability>