Fluentd v1.19.3 has been released

2026-06-25
ClearCode, Inc.

fluentd announcement

Hi users!

We have released v1.19.3 on 2026-06-25. ChangeLog is here.

This release is a maintenance release of v1.19 series.

This release is bundled for fluent-package LTS version v6.0.4!

Security Fixes

Many vulnerabilities were fixed in this release.

Remote Code Execution (RCE) via Arbitrary File Write in ${tag} Placeholder
- CVE-2026-44024
- CVSS v3 score: 9.8/10 (Critical)
- Workarounds: Restrict network access, run as non-root user, use shared_key for authentication, filter incoming untrusted tags.
Exposure of Sensitive Information via Monitor Agent API
- CVE-2026-44025
- CVSS v3 score: 7.5/10 (High)
- Workarounds: Restrict network access for in_monitor_agent, allow connection from only localhost.
- Breaking changes: If you dare to keep previous non-secure behavior, need tweak include_config, include_retry and include_debug_info parameters.
```
<source>
  @type monitor_agent
  include_config true     # since v1.19.3, changed to false by default
  include_retry true      # since v1.19.3, newly introduced, false by default
  include_debug_info true # since v1.19.3, newly introduced, false by default
  ...
</source>
```
Denial of Service (DoS) via Gzip Decompression Bomb in in_http and in_forward
- CVE-2026-44160
- CVSS v3 score: 7.5/10 (High)
- Workarounds: Restrict network access for in_forward or in_http, use shared_key for authentication which allow trusted incoming source.
Server-Side Request Forgery (SSRF) via out_http Placeholder Expansion
- CVE-2026-44161
- CVSS v3 score: 7.2/10 (High)
- Workarounds: Avoid usage of dynamic hostname in placeholder, restrict network access from untrusted network, use only allowed hosts.

Additionally, similar vulnerability was also fixed in the following fluentd plugins:

fluent-plugin-s3 DoS via Gzip decompression vulnerability was fixed in 1.8.5
fluent-plugin-opentelemetry DoS via Gzip decompression vulnerability was fixed in 0.5.3

In most cases, there is no problem using deployed Fluentd within a closed, trusted network. If you could not update Fluentd immediately, consider to take advised mitigation in above advisories.

Bug Fixes

Many bugs were also fixed in this release.

in_debug_agent: accept only from local machine by default
buffer: resume buffer correctly even though path contains []
out_forward: avoid reusing closed keepalive sockets after remote
storage_local: fix encoding error when fix encoding error when reading non-ASCII characters

`in_debug_agent`: accept only from local machine by default

Historically, in_debug_agent accepts remote access by default.

This behavior is not problem because usually in_debug_agent must be explicitly enabled by users who know what you do.

But, there is an security concern which accepts external access by default even though user must enable it explicitly.

To mitigate security concern, changed that behavior a bit secure by default.

If you dare to keep previous non-secure behavior, specify 0.0.0.0 explicitly.

<source>
  @type monitor_agent
  bind 0.0.0.0   # prior to v1.19.3 default behavior
  bind 127.0.0.1 # since v1.19.3 default behavior
  ...
</source>

buffer: resume buffer correctly even though path contains []

If buffer path contains [] in tag something like "path test/${tag[0]}", when resuming buffer process can't find them without escaping bracket.

Thus buffer files remains under that directory.

In this release, that can be resumed correctly.

Note that recommended tag spec is specified in routing documentation, but it is easily shoot your legs in practical use-case if you use [] characters. so it is changed to take care of that case.

avoid reusing closed keepalive sockets after remote disconnects

In the previous versions, there was a keepalive socket reuse bug.

When a cached keepalive connection has already been closed by the remote side, out_forward could pick that socket back up and try to write to it again.

As a result, that left the flush thread spinning on a dead socket and can drive CPU usage to 100%.

`storage_local`: fix encoding error when fix encoding error when reading non-ASCII characters

If data containing non-latin characters are stored onto disk using the storage_local plugin, the file is properly written but cannot be read again once fluentd restarts. Now that behaviour was fixed by properly handling the file encoding.

Improvements

In this release, added some warnings for problematic use-cases.

If there are any potential issues with your configuration, Fluentd detects above cases additionally.

Enjoy logging!

Follow us on X

We have been posting information about Fluentd in Japanese on @fluentd_jp. We would appreciate it if you followed the X account.

There are some commercial supports for Fluentd, see Enterprise Services. If you use Fluentd on production, Let's share your use-case/testimonial on Testimonials page. Please consider to feedback Use-Case/Testimonials via GitHub.

Subscribed to the RSS feed here.

Written by ClearCode, Inc.

ClearCode, Inc. is a software company specializing in the development of Free Software. We maintain Fluentd and its plugin ecosystem, and provide commercial support for them.

About Fluentd

Fluentd is an open source data collector to unify log management.

Announcement Topics

2025-12-25: Drop schedule announcement about EOL of Fluent Package (fluent-package) 5

2025-09-04: Upgrade Guide for fluent-package v6

2024-08-29: Scheduled support lifecycle announcement about Fluent Package v6

2023-08-29: Drop schedule announcement about EOL of Treasure Agent (td-agent) 4

2023-08-29: Scheduled support lifecycle announcement about Fluent Package

2023-07-31: Upgrade to fluent-package v5

Learn

Want to learn the basics of Fluentd? Check out these pages.

Ask the Community

Couldn't find enough information? Let's ask the community!

Ask the Experts

You need commercial-grade support from Fluentd committers and experts?