{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-35548", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-22T15:21:32.153Z", "dateReserved": "2026-04-03T00:00:00.000Z", "datePublished": "2026-04-22T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:13:41.396Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://guardsix.com/media-room#/pressreleases/logpoint-becomes-guardsix-as-europe-reassesses-sovereign-security-operations-3436974"}, {"url": "https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-918", "lang": "en", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T15:20:42.631183Z", "id": "CVE-2026-35548", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:21:32.153Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T15:20:42.631183Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918 Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T15:07:23.969Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://guardsix.com/media-room#/pressreleases/logpoint-becomes-guardsix-as-europe-reassesses-sovereign-security-operations-3436974"}, {"url": "https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source"}], "descriptions": [{"lang": "en", "value": "An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-22T14:13:41.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35548", "state": "PUBLISHED", "dateUpdated": "2026-04-22T15:21:32.153Z", "dateReserved": "2026-04-03T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-22T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials."}], "id": "CVE-2026-35548", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T15:16:16.100", "references": [{"source": "cve@mitre.org", "url": "https://guardsix.com/media-room#/pressreleases/logpoint-becomes-guardsix-as-europe-reassesses-sovereign-security-operations-3436974"}, {"source": "cve@mitre.org", "url": "https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.1)"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "odbc_enrichment_plugins", "vendor": "guardsix"}], "analysis": {"en": {"generated_at": "2026-04-27T19:23:20.374106+00:00", "value": {"mitigation_remediation": ["Upgrade Guardsix ODBC Enrichment Plugins to version 5.2.1 or later (used in Guardsix 7.9.0.0).", "If an upgrade is not immediately possible, restrict the Operator role so that editing Enrichment Source target host details is disabled or limited to non\u2011sensitive internal services.", "Monitor operational logs for changes to Enrichment Source host, IP, or port and investigate any suspicious internal connections."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery with credential reuse"}, "threat_synthesis": {"affected_systems": "Guardsix ODBC Enrichment Plugins versions prior to 5.2.1 are vulnerable.\nGuardsix 7.9.0.0 uses plugin version 5.2.1, which includes the fix, so systems running that release are not affected.", "description_and_impact": "A logic flaw in Guardsix (formerly Logpoint) ODBC Enrichment Plugins allowed stored database credentials to be reused after the target Host, IP address, or Port was modified.\nWhen an authenticated Operator edited an existing Enrichment Source, previously stored credentials were retained even though the connection endpoint changed, enabling the Operator to redirect the database connection to unintended internal systems.\nThis flaw facilitates Server\u2011Side Request Forgery and can lead to misuse of valid stored credentials against internal services.", "risk_and_exploitability": "The vulnerability requires an authenticated Operator and leverages the web interface to modify an Enrichment Source.\nExploitation would allow the attacker to reach protected internal network hosts and use valid credentials, potentially leading to data exfiltration or lateral movement.\nNo EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a publicly known exploit does not eliminate the risk.\nThe CVSS score of 8.5 indicates a high severity, underscoring the potential for significant internal compromise when the Operator has sufficient permissions."}}}}, "created": "2026-04-27T19:30:12.042821+00:00", "title": "Logic Flaw in ODBC Enrichment Plugins Allows SSRF via Reused Credentials", "updated": "2026-04-27T20:21:10.016621+00:00", "vendors": ["guardsix", "guardsix$PRODUCT$odbc_enrichment_plugins"]}