CVE-2026-30808
Pandora FMS · Pandora FMS
A session fixation vulnerability in Pandora FMS allows a remote, unauthenticated attacker to hijack user sessions by providing a crafted session identifier.
Executive summary
A session fixation flaw in Pandora FMS enables remote session hijacking, potentially granting an attacker full access to user accounts.
Vulnerability
This is a session fixation vulnerability (CWE-384) that allows an unauthenticated remote attacker to manipulate session IDs. The attack requires user interaction (UI:P) to succeed, typically by tricking a victim into using a pre-determined session identifier.
Business impact
Successful exploitation allows an attacker to hijack active user sessions, leading to unauthorized access to the application as the victim. Given the CVSS score of 8.1, the potential for complete account takeover and subsequent data exposure or administrative action makes this a high-severity vulnerability.
Remediation
Immediate Action: Apply the vendor-supplied security updates by upgrading to version 802 or 800.2.
Proactive Monitoring: Review application access logs for irregular session patterns or multiple logins from different source IPs associated with the same session ID.
Compensating Controls: Enforce strict session management policies, including the regeneration of session tokens upon every successful login, to mitigate the risk of fixation.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
This vulnerability requires immediate attention due to the ease with which an attacker can compromise user sessions. IT administrators must ensure that all instances of Pandora FMS are updated to the patched versions (v802 or v800.2) to prevent unauthorized account access.