Skip to main content

Pandora FMS CVE-2026-30805

| EUVD-2026-29494 CRITICAL
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-05-12 PandoraFMS GHSA-m2m9-vhw3-w774
Authentication Bypass Pandora Fms
9.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:C/RE:M/U:Amber
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
N

Lifecycle Timeline

3
Analysis Generated
May 12, 2026 - 16:32 vuln.today
CVSS changed
May 12, 2026 - 16:22 NVD
9.1 (CRITICAL)
CVE Published
May 12, 2026 - 15:09 nvd
CRITICAL 9.1

DescriptionCVE.org

Insecure Default Initialization of Resource vulnerability allows Authentication Bypass via API access. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Authentication bypass in Pandora FMS versions 777-800 allows remote attackers to gain unauthorized API access via insecure default resource initialization. The vulnerability stems from CWE-1188 (default credentials or configuration), enabling attackers to bypass authentication mechanisms and access the API with high confidentiality and integrity impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Network scan identifies Pandora FMS API
Delivery
Enumerate version in vulnerable range (777-800)
Exploit
Craft API request exploiting insecure default initialization
Install
Bypass authentication mechanism
C2
Access API with elevated privileges
Execute
Extract monitoring credentials and network topology
Impact
Modify configurations to disable security alerting
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires Pandora FMS versions 777-800 with the API component deployed in its default initialization state as delivered by the vendor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk assessment reveals nuanced signals that require careful interpretation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker identifies a Pandora FMS instance (versions 777-800) via banner grabbing or version enumeration. Leveraging knowledge of the insecure default resource initialization, the attacker crafts API requests that exploit the authentication bypass to gain administrative API access without credentials. …
Remediation Upgrade to Pandora FMS version 801 or later, as all builds from 777-800 are confirmed vulnerable (patch availability inferred from vendor closing the version range at 800, though exact fix version not independently verified from provided data). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Pandora FMS deployments and identify systems running versions 777-800; isolate or restrict network access to affected instances pending remediation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-30805 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy