{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30811", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "state": "PUBLISHED", "assignerShortName": "PandoraFMS", "dateReserved": "2026-03-05T16:16:01.151Z", "datePublished": "2026-04-13T15:47:40.198Z", "dateUpdated": "2026-04-13T17:58:34.188Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2026-04-13T15:47:40.198Z"}, "title": "Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure", "datePublic": "2026-04-13T15:49:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-276", "description": "CWE-276 Incorrect default permissions", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "affected": [{"vendor": "Pandora FMS", "product": "Pandora FMS", "platforms": ["all"], "versions": [{"status": "affected", "version": "777", "lessThanOrEqual": "800", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800"}]}], "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "Safety": "NEGLIGIBLE", "Automatable": "YES", "Recovery": "USER", "valueDensity": "CONCENTRATED", "vulnerabilityResponseEffort": "LOW", "providerUrgency": "AMBER", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/S:N/AU:Y/R:U/V:C/RE:L/U:Amber"}}], "solutions": [{"lang": "en", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fixed in v800.1 and v801 Pandora FMS versions"}]}], "credits": [{"lang": "en", "value": "Pedro J. N\u00fa\u00f1ez-Cacho Fuentes <tunelko@gmail.com>", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:57:53.127192Z", "id": "CVE-2026-30811", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:58:34.188Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30811", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:57:53.127192Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:58:04.214Z"}}], "cna": {"title": "Missing Authorization in Configuration Ajax Endpoint leads to Information Disclosure", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pedro J. N\u00fa\u00f1ez-Cacho Fuentes <tunelko@gmail.com>"}], "impacts": [{"capecId": "CAPEC-87", "descriptions": [{"lang": "en", "value": "CAPEC-87 Forceful Browsing"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NEGLIGIBLE", "version": "4.0", "Recovery": "USER", "baseScore": 8.4, "Automatable": "YES", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "AMBER", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pandora FMS", "product": "Pandora FMS", "versions": [{"status": "affected", "version": "777", "versionType": "custom", "lessThanOrEqual": "800"}], "platforms": ["all"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "supportingMedia": [{"type": "text/html", "value": "Fixed in v800.1 and v801 Pandora FMS versions", "base64": false}]}], "datePublic": "2026-04-13T15:49:00.000Z", "references": [{"url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect default permissions"}]}], "providerMetadata": {"orgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "shortName": "PandoraFMS", "dateUpdated": "2026-04-13T15:47:40.198Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30811", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:58:34.188Z", "dateReserved": "2026-03-05T16:16:01.151Z", "assignerOrgId": "63375d6c-d89a-45ed-8ecc-c8c361b0e04c", "datePublished": "2026-04-13T15:47:40.198Z", "assignerShortName": "PandoraFMS"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800"}], "id": "CVE-2026-30811", "lastModified": "2026-04-13T16:16:25.993", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "YES", "Recovery": "USER", "Safety": "NEGLIGIBLE", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "AMBER", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "CONCENTRATED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "LOW"}, "source": "security@pandorafms.com", "type": "Secondary"}]}, "published": "2026-04-13T16:16:25.993", "references": [{"source": "security@pandorafms.com", "url": "https://pandorafms.com/en/security/common-vulnerabilities-and-exposures/"}], "sourceIdentifier": "security@pandorafms.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security@pandorafms.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["all"], "status": "affected", "versions": {"scheme": "generic", "value": "[777,800]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Pandora FMS", "source": "cna", "vendor": "Pandora FMS"}, "product": "pandora_fms", "vendor": "pandora_fms"}], "analysis": {"en": {"generated_at": "2026-04-13T18:38:04.611682+00:00", "value": {"mitigation_remediation": ["Upgrade Pandora FMS to version 800.1 or later to eliminate the flaw.", "If an upgrade is not immediately possible, block or restrict access to the configuration Ajax endpoint, limiting it to trusted IP ranges.", "Verify the currently installed version and confirm that it is not within the vulnerable range.", "Monitor logs for any unauthorized attempts to access the configuration endpoint."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "Pandora FMS products, versions from 777 up to 800, are vulnerable to this flaw. The vendor has identified these releases as affected.", "description_and_impact": "This vulnerability arises from the absence of an authorization check in a configuration Ajax endpoint, allowing any user who can reach the endpoint to retrieve confidential data. The weakness is rooted in missing authorization controls, which is classified as a high\u2011severity information disclosure that can compromise the confidentiality of the system.", "risk_and_exploitability": "The issue scores a CVSS base of 8.4, indicating a high risk to data confidentiality. No EPSS information is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by issuing the specific Ajax request to the configuration endpoint without authentication, enabling them to read sensitive data."}}}}, "created": "2026-04-14T16:18:57.484368+00:00", "updated": "2026-04-14T16:34:05.907345+00:00", "vendors": ["pandora_fms", "pandora_fms$PRODUCT$pandora_fms"]}