Description
Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800
Published: 2026-04-13
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from the absence of an authorization check in a configuration Ajax endpoint, allowing any user who can reach the endpoint to retrieve confidential data. The weakness is rooted in missing authorization controls, which is classified as a high‑severity information disclosure that can compromise the confidentiality of the system.

Affected Systems

Pandora FMS products, versions from 777 up to 800, are vulnerable to this flaw. The vendor has identified these releases as affected.

Risk and Exploitability

The issue scores a CVSS base of 8.4, indicating a high risk to data confidentiality. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing the specific Ajax request to the configuration endpoint without authentication, enabling them to read sensitive data.

Generated by OpenCVE AI on April 13, 2026 at 18:38 UTC.

Remediation

Vendor Solution

Fixed in v800.1 and v801 Pandora FMS versions

OpenCVE Recommended Actions

  • Upgrade Pandora FMS to version 800.1 or later to eliminate the flaw.
  • If an upgrade is not immediately possible, block or restrict access to the configuration Ajax endpoint, limiting it to trusted IP ranges.
  • Verify the currently installed version and confirm that it is not within the vulnerable range.
  • Monitor logs for any unauthorized attempts to access the configuration endpoint.

Generated by OpenCVE AI on April 13, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Artica
Artica pandora Fms
CPEs cpe:2.3:a:artica:pandora_fms:*:*:*:*:*:*:*:*
Vendors & Products Artica
Artica pandora Fms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pandora Fms
Pandora Fms pandora Fms
Vendors & Products Pandora Fms
Pandora Fms pandora Fms

Mon, 13 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800
Title Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure
Weaknesses CWE-276
References
Metrics cvssV4_0

{'score': 8.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/S:N/AU:Y/R:U/V:C/RE:L/U:Amber'}

Subscriptions

Artica Pandora Fms
Pandora Fms Pandora Fms
cve-icon MITRE

Status: PUBLISHED

Assigner: PandoraFMS

Published:

Updated: 2026-04-13T17:58:34.188Z

Reserved: 2026-03-05T16:16:01.151Z

Link: CVE-2026-30811

cve-icon Vulnrichment

Updated: 2026-04-13T17:58:04.214Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-13T16:16:25.993

Modified: 2026-04-22T14:31:22.140

Link: CVE-2026-30811

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:34:05Z

Weaknesses