What is GHSA-72fg-f46j-5gvp?

GHSA-72fg-f46j-5gvp is a security advisory published by GitHub Security Advisories with High severity. HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows...

Which CVE IDs does GHSA-72fg-f46j-5gvp cover?

GHSA-72fg-f46j-5gvp covers the following CVE IDs: CVE-2026-43634. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-72fg-f46j-5gvp?

GHSA-72fg-f46j-5gvp has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

GHSA-72fg-f46j-5gvpHighCVSS 7.5

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows...

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-43634 →

📋 Description

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's network. Attackers can exploit this to circumvent fail2ban brute-force protection, bypass per-user IP allowlists, and poison authentication audit logs by spoofing trusted IP addresses on each request.

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2026-43634
https://github.com/hestiacp/hestiacp/issues/5229
https://github.com/hestiacp/hestiacp/pull/5273
https://github.com/hestiacp/hestiacp/commit/f381e294500f671cf12716c638afd0bfde901f88
https://mercuryiss.com.au/hestiacp-unauthenticated-rce-ip-spoofing-cve-2026-43633-cve-2026-43634
https://www.vulncheck.com/advisories/hestiacp-ip-spoofing-via-cf-connecting-ip-header
https://github.com/advisories/GHSA-72fg-f46j-5gvp