HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

Advisories

HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

severity: high
date: 5/19/2026
Affecting: HestiaCP 1.2.0 - 1.9.4
CVE: CVE-2026-43634
CWE: CWE-348 Use of Less Trusted Source
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References: Mercury ISS Blog
GitHub Issue
Pull Request
Patch Commit
Credit: sutol
Description: HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo