Description
Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800
Published: 2026-05-12
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insecure default initialization of a resource used by the Pandora FMS API, allowing an attacker to bypass authentication and gain full API access. This flaw can be exploited to perform any action that an authenticated user could, potentially exposing confidential data and enabling destructive operations against the monitored infrastructure.

Affected Systems

Pandora FMS versions 777 through 800 are affected. The issue was addressed by the vendor in version 802 and in 800.2.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity. No EPSS score is available, and the vulnerability has not been listed in the CISA KEV catalog, but the lack of a mitigation does not reduce the risk. Attackers can target the exposed API endpoint without any additional authentication, making exploitation straightforward provided the system is reachable over the network.

Generated by OpenCVE AI on May 12, 2026 at 17:44 UTC.

Remediation

Vendor Solution

Fixed in v802 and 800.2

OpenCVE Recommended Actions

  • Upgrade to Pandora FMS 802 or 800.2 to apply the vendor fix.
  • If an immediate upgrade is not possible, restrict API access to a trusted subset of IP addresses or networks using firewall rules or server configuration.
  • Re‑evaluate any exposed administrative interfaces and enforce strict access controls to minimize the attack surface.

Generated by OpenCVE AI on May 12, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800
Title Insecure Default Initialization in API Authentication leads to Authentication Bypass
Weaknesses CWE-1188
References
Metrics cvssV4_0

{'score': 9.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-05-12T19:35:39.922Z

Reserved: 2026-03-05T16:16:01.150Z

Link: CVE-2026-30805

cve-icon Vulnrichment

Updated: 2026-05-12T19:35:33.878Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:12.683

Modified: 2026-05-12T16:47:47.137

Link: CVE-2026-30805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:15:21Z

Weaknesses