Description
Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800
Published: 2026-05-12
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A server‑side request forgery (SSRF) flaw in the API Checker extension allows attackers to send arbitrary requests from the FMS server, giving them the ability to access internal services and execute privileged API calls. The vulnerability is identified as CWE‑918 and can enable an attacker to bypass normal access controls, effectively elevating privileges within the system.

Affected Systems

Pandora FMS products from version 777 through 800 are impacted. The vendor notes that the issue is fixed in later releases 802 and 800.2.

Risk and Exploitability

The CVSS score of 7.1 indicates a high‑impact flaw. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that no widespread exploitation is currently documented. Attackers would need the ability to interact with the vulnerable API Checker, and the internal network must be reachable from the API, meaning adequate network segmentation can reduce risk. However, exploitation remains feasible without advanced prerequisites, so the threat should be treated as a medium‑to‑high risk.

Generated by OpenCVE AI on May 12, 2026 at 17:43 UTC.

Remediation

Vendor Solution

Fixed in v802 and v800.2

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to version 802 or 800.2 where the API Checker fix is included
  • Disable or restrict the API Checker extension so it only accepts requests from trusted IP addresses
  • Configure firewall or network segmentation rules to block internal service requests originating from the API Checker

Generated by OpenCVE AI on May 12, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Tue, 12 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery vulnerability allows Privilege Escalation via API Checker extension. This issue affects Pandora FMS: from 777 through 800
Title Server-Side Request Forgery in API Checker leads to Privilege Escalation
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N/S:N/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-05-12T19:41:46.543Z

Reserved: 2026-03-05T16:16:01.151Z

Link: CVE-2026-30810

cve-icon Vulnrichment

Updated: 2026-05-12T19:41:41.417Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T16:16:13.130

Modified: 2026-05-12T16:47:47.137

Link: CVE-2026-30810

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T19:00:18Z

Weaknesses