Which versions of Pandora Fms are affected by EUVD-2026-21992?

Pandora FMS versions 777-800 contain an authorization bypass allowing authenticated users to access configuration endpoints beyond their privilege level, exposing credentials and system architecture…

How to fix or mitigate EUVD-2026-21992?

Within 24 hours: Identify all Pandora FMS instances (versions 777-800) in production via asset inventory and vulnerability scanner; isolate or restrict network access to configuration endpoints if possible. Within 7 days: Contact Pandora FMS vendor for patch availability and timeline; implement network segmentation to limit authenticated user access to configuration APIs. Within 30 days: Apply vendor-released patch immediately upon availability; conduct audit of configuration endpoint access logs for unauthorized access; reset exposed credentials and review role-based access control (RBAC) configuration across all instances.

Pandora Fms EUVD-2026-21992

Q: What is the CVSS score of EUVD-2026-21992?

EUVD-2026-21992 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber. EPSS exploitation probability: 0.0%.

| CVE-2026-30811 HIGH

Incorrect Default Permissions (CWE-276)

2026-04-13 PandoraFMS

Privilege Escalation Pandora Fms

8.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:C/RE:L/U:Amber

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 17, 2026 - 15:52 vuln.today

cvss_changed

Analysis Generated

Apr 13, 2026 - 16:43 vuln.today

CVSS changed

Apr 13, 2026 - 16:22 NVD

8.4 (HIGH)

EUVD ID Assigned

Apr 13, 2026 - 16:15 euvd

EUVD-2026-21992

Analysis Generated

Apr 13, 2026 - 16:15 vuln.today

CVE Published

Apr 13, 2026 - 15:47 nvd

HIGH 8.4

DescriptionCVE.org

Missing Authorization vulnerability allows Exposure of Sensitive Information via configuration endpoint. This issue affects Pandora FMS: from 777 through 800

AnalysisAI

Unauthorized access to configuration endpoints in Pandora FMS versions 777 through 800 exposes sensitive system information to low-privileged authenticated users. The missing authorization control (CWE-276) allows privilege escalation where authenticated users can access configuration data they should not have permissions to view, potentially revealing credentials, internal architecture details, and security settings. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privilege Pandora FMS credentials

Delivery

Access configuration endpoint without authorization

Exploit

Extract sensitive configuration data

Execution

Harvest credentials for databases/monitored systems

Persist

Pivot to backend infrastructure

Impact

Execute privileged operations on subsequent systems