Cyber Resilience

CVE-2026-35548

High

Published: 22 April 2026

Published
22 April 2026
Modified
12 May 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0021 11.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35548 is a high-severity SSRF (CWE-918) vulnerability in Guardsix Logpoint. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).

Deeper analysis

CVE-2026-35548 is a logic flaw discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins versions before 5.2.1, which is incorporated in guardsix 7.9.0.0. The vulnerability arises when editing an existing Enrichment Source, as previously stored database credentials are retained even after modifying the target Host, IP address, or Port. This allows unintended reuse of credentials with a changed connection endpoint, classified under CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact and changed scope.

An authenticated Operator user can exploit this issue by editing an Enrichment Source to redirect the database connection to unintended internal systems while retaining valid stored credentials. This enables server-side request forgery (SSRF), potentially allowing access to internal resources and misuse of legitimate credentials for unauthorized data exfiltration or further compromise.

The guardsix service desk advisory at https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source details the SSRF vulnerability in ODBC Enrichment Sources, with mitigation achieved by upgrading to ODBC Enrichment Plugins 5.2.1 or later, as indicated by the affected version range in the CVE description.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When…

more

editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

The SSRF vulnerability (CWE-918) allows an authenticated user to edit an Enrichment Source and redirect ODBC database connections to arbitrary internal endpoints while retaining stored credentials, directly enabling exploitation of a public-facing application (T1190) and unauthorized access to data from internal information repositories such as databases (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918
CVE-2025-2691Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2026-6625Shared CWE-918
CVE-2026-30118Shared CWE-918

Affected Assets

guardsix
logpoint
≤ 7.9.0
guardsix
odbc
≤ 5.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the logic flaw by requiring timely identification, reporting, and correction through vendor-recommended upgrade to ODBC Enrichment Plugins 5.2.1 or later.

prevent

Restricts access to editing Enrichment Sources to authorized personnel only, preventing authenticated Operator users from modifying connection endpoints without appropriate privileges.

prevent

Enforces least privilege to ensure Operator roles do not have unnecessary permissions to edit database connection details in Enrichment Sources, blocking the SSRF exploit path.

References