Description
Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
Published: 2026-05-12
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pandora FMS is vulnerable to session fixation, allowing attackers to hijack authenticated sessions by supplying a crafted session ID. This flaw falls under CWE-384 and enables an adversary to assume the identity of a legitimate user without needing the user’s credentials. The attacker may act with the same rights as the hijacked account, potentially accessing sensitive data, executing privileged operations, or causing further compromise within the affected environment.

Affected Systems

The vulnerability affects Pandora FMS versions ranging from 777 through 800. The vendor provides an official fix available in version 802 and 800.2, which addresses the session ID handling flaw.

Risk and Exploitability

The CVSS score is 7.6, indicating significant risk. The EPSS score is not available, so there is no current estimate of exploit probability, but the lack of KEV listing means the vulnerability is not yet known to be actively exploited in the wild. Based on the description, it is inferred that attackers can craft a valid session identifier remotely and supply it to the Pandora FMS web interface, thereby hijacking a legitimate user session. Successful exploitation would grant unauthorized access and privilege escalation without any local access, making the threat moderate to high for organizations using the affected versions.

Generated by OpenCVE AI on May 12, 2026 at 18:05 UTC.

Remediation

Vendor Solution

Fixed in v802 and 800.2

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to Pandora FMS v802 or 800.2, which fixes the session fixation flaw.
  • After upgrading, invalidate all active session identifiers and force users to log in again to prevent lingering hijacked sessions.
  • If an immediate upgrade is not possible, enforce regeneration of the session ID immediately after authentication and implement additional checks to prevent replay of session tokens; monitor logs for suspicious reuse of session identifiers.

Generated by OpenCVE AI on May 12, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
Title Session Fixation in Authentication leads to Session Hijacking
Weaknesses CWE-384
References
Metrics cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-05-12T19:39:27.492Z

Reserved: 2026-03-05T16:16:01.150Z

Link: CVE-2026-30808

cve-icon Vulnrichment

Updated: 2026-05-12T19:38:34.333Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:12.973

Modified: 2026-05-12T16:47:47.137

Link: CVE-2026-30808

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T18:15:21Z

Weaknesses