Skip to main content

guardsix ODBC Enrichment Plugins EUVDEUVD-2026-24953

| CVE-2026-35548 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-22 mitre
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Apr 23, 2026 - 00:15 vuln.today
CVSS changed
Apr 22, 2026 - 16:22 NVD
8.5 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 15:00 euvd
EUVD-2026-24953
Analysis Generated
Apr 22, 2026 - 15:00 vuln.today
CVE Published
Apr 22, 2026 - 00:00 nvd
HIGH 8.5

DescriptionCVE.org

An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials.

AnalysisAI

Server-Side Request Forgery in guardsix (formerly Logpoint) ODBC Enrichment Plugins allows authenticated Operator users to redirect stored database credentials to arbitrary internal systems by modifying connection endpoints without clearing cached credentials. The vulnerability affects versions before 5.2.1 and enables credential misuse against unintended internal databases despite Changed Scope (CVSS S:C) indicating potential cross-boundary impact. EPSS and exploitation data not available; SSVC indicates no known exploitation, non-automatable attack requiring low-privilege authentication, with partial technical impact to confidentiality and integrity.

Technical ContextAI

The vulnerability exists in the ODBC (Open Database Connectivity) Enrichment Plugin component used by guardsix SIEM platform for external database integration. ODBC plugins allow security operations to enrich log data by querying external databases. The flaw is classified as CWE-918 (Server-Side Request Forgery), where insufficient validation of user-supplied connection parameters allows an authenticated user to modify the target Host, IP address, or Port of an existing Enrichment Source while the system incorrectly retains previously stored database credentials. This credential persistence logic error transforms legitimate database connectivity features into an SSRF primitive, enabling internal network scanning and unauthorized database access using valid stored credentials against endpoints chosen by the attacker rather than the originally configured legitimate systems.

RemediationAI

Upgrade ODBC Enrichment Plugins to version 5.2.1 or later, included in guardsix platform version 7.9.0.0. Vendor advisory available at https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source provides specific upgrade guidance. Until patching, implement these compensating controls: (1) Audit all Operator-level user accounts with ODBC Enrichment Source modification permissions and apply principle of least privilege - restrict this permission to minimum required administrators; (2) Enable detailed audit logging for all Enrichment Source configuration changes and monitor for modifications to Host/IP/Port fields followed by connection attempts to unexpected internal IP ranges; (3) Deploy network segmentation to restrict the guardsix platform's outbound database connectivity to explicitly allowed database servers only via firewall rules, blocking access to broader internal networks - note this may impact legitimate enrichment functionality if sources are added; (4) Implement database-side IP allowlisting to reject connections from the guardsix platform to sensitive internal databases not explicitly configured for enrichment. These controls reduce attack surface but may require operational overhead and should be removed once patching is complete.

Share

EUVD-2026-24953 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy