Description
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
Published: 2026-05-19
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HestiaCP versions 1.2.0 through 1.9.4 can be tricked into accepting an arbitrary CF-Connecting-IP header value when verifying user authentication. This allows an unauthenticated attacker to convince the system that a request comes from a trusted IP address, thereby bypassing authentication controls, disabling fail2ban protections, evading per‑user IP allowlists, and corrupting audit logs. The weakness is classified as CWE‑348, a type of spoofing flaw that permits malicious actors to masquerade as legitimate network addresses.

Affected Systems

The vulnerability affects HestiaCP installations running any version between 1.2.0 and 1.9.4 inclusive. Systems maintain a web‑based control panel and rely on the CF-Connecting-IP header to determine the client IP for authentication and auditing purposes.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity for this flaw. The EPSS score is not available, so the current probability of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by sending crafted HTTP requests with a manipulated CF-Connecting-IP header over the Internet, assuming they can reach the HestiaCP service. No authentication or privileged credentials are required; the vulnerability is exploitable from outside the target network.

Generated by OpenCVE AI on May 19, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HestiaCP to the latest available release that contains a patch for CF‑Connecting‑IP header validation.
  • Modify the HestiaCP authentication logic to accept the CF‑Connecting‑IP header only when the request originates from the Cloudflare IP ranges, or disable the header entirely if Cloudflare is not used.
  • Enforce network‑level restrictions so that only Cloudflare IP addresses can reach the HestiaCP service and strip or reject any CF‑Connecting‑IP header on non‑Cloudflare traffic.

Generated by OpenCVE AI on May 19, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Hestiacp
Hestiacp hestiacp
Vendors & Products Hestiacp
Hestiacp hestiacp

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
Title HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
Weaknesses CWE-348
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hestiacp Hestiacp
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-19T16:39:31.444Z

Reserved: 2026-05-01T18:22:45.641Z

Link: CVE-2026-43634

cve-icon Vulnrichment

Updated: 2026-05-19T16:39:27.735Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T15:16:31.023

Modified: 2026-05-19T17:57:58.497

Link: CVE-2026-43634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses