CVE-2026-35548 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been discovered in GuardSix (formerly Logpoint) ODBC Enrichment Plugins before version 5.2.1. The vulnerability stems from a logic flaw in how stored database credentials are handled when modifying connection endpoints. When an authenticated Operator user edits an existing Enrichment Source, previously stored credentials are retained even if the Host, IP address, or Port is changed to a different target system. This allows attackers with Operator-level access to redirect database connections to unintended internal systems, potentially exposing sensitive internal resources and misusing valid stored credentials.
Critical Impact
Authenticated attackers can leverage stored database credentials to perform SSRF attacks against internal systems, potentially accessing sensitive data and pivoting to internal network resources that should not be accessible.
Affected Products
- GuardSix (formerly Logpoint) ODBC Enrichment Plugins before version 5.2.1
- GuardSix versions prior to 7.9.0.0 (which includes the fixed plugin version 5.2.1)
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-35548 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35548
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The flaw exists in the ODBC Enrichment Source configuration functionality within GuardSix. The system fails to properly invalidate or clear stored database credentials when the connection endpoint (Host, IP address, or Port) is modified by a user. This design oversight creates a trust boundary violation where legitimate credentials intended for one database system can be redirected to connect to arbitrary internal targets.
The attack requires authenticated access with Operator-level privileges, meaning an insider threat or compromised Operator account could exploit this vulnerability. Once exploited, the attacker can leverage the stored valid credentials to establish connections to internal systems that may not have been intended targets, potentially bypassing network segmentation and access controls.
Root Cause
The root cause is a logic flaw in the credential management system for ODBC Enrichment Sources. The application architecture incorrectly assumes that modifying connection parameters (Host, IP, Port) should preserve existing stored credentials rather than requiring re-authentication. This credential persistence mechanism lacks proper validation to ensure the stored credentials should only be used for their originally intended endpoint, allowing credential reuse across different connection targets.
Attack Vector
The attack leverages network-based access with low attack complexity but requires authenticated Operator-level privileges. An attacker would:
- Authenticate to the GuardSix system with Operator privileges
- Navigate to an existing ODBC Enrichment Source configuration with stored credentials
- Modify the Host, IP address, or Port fields to point to an internal target system
- Save the configuration, causing the system to attempt connection to the new target using the original stored credentials
- Observe the connection attempt and any resulting data exposure
The vulnerability has a changed scope impact, meaning successful exploitation can affect resources beyond the vulnerable component's security scope, potentially impacting internal systems accessible from the GuardSix server.
Detection Methods for CVE-2026-35548
Indicators of Compromise
- Unexpected modification of ODBC Enrichment Source configurations, particularly changes to Host, IP address, or Port fields
- Database connection attempts from the GuardSix server to internal systems that were not originally configured as enrichment sources
- Audit logs showing Operator users editing enrichment source connection parameters without corresponding credential re-entry events
Detection Strategies
- Monitor configuration change logs for ODBC Enrichment Source modifications, flagging any changes to connection endpoints
- Implement network monitoring to detect unusual outbound database connection attempts from the GuardSix server to unexpected internal destinations
- Establish baseline of normal enrichment source configurations and alert on deviations
Monitoring Recommendations
- Enable detailed audit logging for all Enrichment Source configuration changes including field-level change tracking
- Configure network-level monitoring between the GuardSix server and internal network segments to detect anomalous ODBC connection patterns
- Review Operator user activity logs regularly for suspicious configuration modification patterns
How to Mitigate CVE-2026-35548
Immediate Actions Required
- Upgrade GuardSix ODBC Enrichment Plugins to version 5.2.1 or later
- Upgrade GuardSix to version 7.9.0.0 or later which includes the patched plugin version
- Review existing ODBC Enrichment Source configurations for any unauthorized modifications
- Audit Operator user accounts and remove unnecessary privileges where possible
Patch Information
The vulnerability has been addressed in GuardSix ODBC Enrichment Plugins version 5.2.1, which is included with GuardSix version 7.9.0.0. Organizations should update to the patched version as soon as possible. For detailed patch information, refer to the GuardSix SSRF Vulnerability Article on the GuardSix Service Desk.
Workarounds
- Implement network-level controls to restrict outbound database connections from the GuardSix server to only approved enrichment source endpoints
- Review and limit Operator-level access to only users who require the ability to configure enrichment sources
- Enable enhanced logging for configuration changes and implement alerting for any ODBC Enrichment Source modifications pending the patch deployment
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
