Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-30810

CVE-2026-30810: Artica Pandora FMS SSRF Vulnerability

CVE-2026-30810 is a server-side request forgery vulnerability in Artica Pandora FMS that enables privilege escalation via the API Checker extension. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-30810 Overview

CVE-2026-30810 is a Server-Side Request Forgery (SSRF) vulnerability in Pandora FMS that enables privilege escalation through the API Checker extension. The flaw affects Pandora FMS versions 777 through 800. An authenticated attacker with low privileges can abuse the API Checker to issue server-originated HTTP requests, reaching internal endpoints and obtaining elevated access. The weakness is classified under CWE-918: Server-Side Request Forgery.

Critical Impact

Authenticated attackers can leverage the API Checker extension to forge server-side requests, escalate privileges, and access internal resources within the Pandora FMS deployment.

Affected Products

  • Artica Pandora FMS version 777
  • Artica Pandora FMS versions 778 through 799
  • Artica Pandora FMS version 800

Discovery Timeline

  • 2026-05-12 - CVE-2026-30810 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-30810

Vulnerability Analysis

The vulnerability resides in the API Checker extension of Pandora FMS. The extension is intended to validate connectivity and responses from configured API endpoints. It accepts a user-supplied URL and performs an outbound HTTP request from the Pandora FMS server. The component fails to restrict the destination of those requests.

An authenticated user with limited privileges can submit URLs pointing to internal services, loopback interfaces, or privileged management endpoints. The server then performs the request on behalf of the attacker. Responses returned to the attacker disclose data from systems that should be unreachable from the user's session context.

Because the requests originate from the Pandora FMS application, they inherit trust boundaries assigned to the server. Attackers chain this primitive with internal authentication endpoints to escalate privileges within the application.

Root Cause

The root cause is missing validation of user-controlled URL input within the API Checker extension. The component does not enforce an allowlist of permitted hosts, block private IP address ranges, or restrict request schemes. This satisfies the conditions of [CWE-918].

Attack Vector

Exploitation requires network access to the Pandora FMS web interface and valid credentials with low privilege. The attacker submits a crafted URL through the API Checker extension. The application issues the request and returns response data to the attacker, enabling internal reconnaissance and privilege escalation flows.

No verified proof-of-concept code has been published. Refer to the PandoraFMS Vulnerability Overview for vendor technical details.

Detection Methods for CVE-2026-30810

Indicators of Compromise

  • Outbound HTTP requests from the Pandora FMS server to internal IP ranges, loopback addresses, or cloud metadata endpoints such as 169.254.169.254.
  • API Checker extension invocations from low-privileged accounts targeting non-standard URLs.
  • Unexpected privilege changes or new administrative sessions following API Checker activity.

Detection Strategies

  • Review Pandora FMS audit logs for entries referencing the API Checker extension and correlate with the requesting user and target URL.
  • Inspect web server access logs for POST requests to API Checker endpoints originating from non-administrative accounts.
  • Monitor egress network traffic from the Pandora FMS host for connections to RFC1918 addresses or localhost services.

Monitoring Recommendations

  • Alert on any API Checker usage by accounts not assigned to operations or integration roles.
  • Track creation of new user accounts or role modifications occurring within short windows after API Checker activity.
  • Forward Pandora FMS application and web server logs to a centralized SIEM for correlation with network telemetry.

How to Mitigate CVE-2026-30810

Immediate Actions Required

  • Upgrade Pandora FMS to a fixed release as published in the PandoraFMS Vulnerability Overview.
  • Restrict access to the API Checker extension to trusted administrative roles only.
  • Audit existing user accounts and remove unnecessary low-privilege access to the web console.

Patch Information

Artica publishes security advisories and remediation guidance through the PandoraFMS Vulnerability Overview. Administrators running versions 777 through 800 should apply the vendor-supplied update referenced in that advisory.

Workarounds

  • Disable the API Checker extension if it is not required for operational workflows.
  • Apply network-level egress filtering on the Pandora FMS server to block requests to internal IP ranges and cloud metadata services.
  • Enforce strict role-based access control so only administrators can invoke API validation tooling.
bash
# Example egress restriction using iptables on the Pandora FMS host
iptables -A OUTPUT -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -d 192.168.0.0/16 -j REJECT

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne