CVE-2026-43634
HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header
HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Productos afectados
hestiacp · hestiacpPoCs públicas encontradas — 1
cve_referencemercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634no verificado⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.
¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88https://github.com/hestiacp/hestiacp/issues/5229https://github.com/hestiacp/hestiacp/pull/5273https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header