PatchSiren cyber security CVE debrief
CVE-2026-43634 hestiacp CVE debrief
CVE-2026-43634 is a high-severity IP spoofing flaw in HestiaCP. According to the published description, affected versions 1.2.0 through 1.9.4 accept an arbitrary CF-Connecting-IP value without first verifying that the request actually came from Cloudflare. That breaks the trust model for client-IP handling and can let unauthenticated remote attackers bypass IP-based authentication controls, evade brute-force defenses, and contaminate audit logs with forged source addresses.
- Vendor
- hestiacp
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
HestiaCP administrators, hosting providers, and security teams that rely on Cloudflare-aware IP handling should prioritize this issue, especially if they use CF-Connecting-IP for fail2ban, per-user IP allowlists, authentication decisions, or forensic logging.
Technical summary
The vulnerability is an IP spoofing / trust-boundary issue (CWE-348). HestiaCP versions 1.2.0 through 1.9.4 reportedly accept the CF-Connecting-IP header from arbitrary clients without validating that the request originated from Cloudflare’s network. As a result, the application may treat attacker-supplied IP addresses as trusted client identities, which can undermine IP-based security controls and make authentication logs misleading.
Defensive priority
High. The CVE is unauthenticated, network-reachable, and affects security controls that are commonly used to limit brute force and enforce access policy. The published CVSS score is 8.7 (HIGH).
Recommended defensive actions
- Apply the upstream HestiaCP patch associated with the linked commit/PR as soon as possible.
- Restrict trust in CF-Connecting-IP to requests proven to originate from Cloudflare IP ranges only.
- Review any fail2ban, firewall, or allowlist rules that consume client IP data from reverse-proxy headers.
- Check authentication and audit logs for suspicious IP patterns or repeated trust of the same forged address.
- If Cloudflare is not in use, disable header-based client IP trust and use a validated proxy configuration instead.
Evidence notes
The source corpus states that CVE-2026-43634 was published on 2026-05-19 and affects HestiaCP versions 1.2.0 through 1.9.4. The description explicitly says attackers can supply an arbitrary CF-Connecting-IP value without verifying the request originated from Cloudflare, enabling authentication control bypasses, fail2ban evasion, per-user IP allowlist bypass, and audit-log poisoning. NVD metadata lists the weakness as CWE-348 and assigns CVSS 4.0 vector data corresponding to a HIGH severity score of 8.7. The NVD record is marked Deferred in the provided source metadata.
Official resources
Publicly disclosed on 2026-05-19 in the CVE/NVD record and linked advisory materials. This debrief uses that published date for timing context.