CVE-2026-35548
Published: 22 April 2026
Summary
CVE-2026-35548 is a high-severity SSRF (CWE-918) vulnerability in Guardsix Logpoint. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-5 (Access Restrictions for Change).
Deeper analysis
CVE-2026-35548 is a logic flaw discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins versions before 5.2.1, which is incorporated in guardsix 7.9.0.0. The vulnerability arises when editing an existing Enrichment Source, as previously stored database credentials are retained even after modifying the target Host, IP address, or Port. This allows unintended reuse of credentials with a changed connection endpoint, classified under CWE-918 (Server-Side Request Forgery) with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N), indicating high confidentiality impact and changed scope.
An authenticated Operator user can exploit this issue by editing an Enrichment Source to redirect the database connection to unintended internal systems while retaining valid stored credentials. This enables server-side request forgery (SSRF), potentially allowing access to internal resources and misuse of legitimate credentials for unauthorized data exfiltration or further compromise.
The guardsix service desk advisory at https://servicedesk.guardsix.com/hc/en-us/articles/35555683205021-SSRF-in-ODBC-Enrichment-Source details the SSRF vulnerability in ODBC Enrichment Sources, with mitigation achieved by upgrading to ODBC Enrichment Plugins 5.2.1 or later, as indicated by the affected version range in the CVE description.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24953
Vulnerability details
An issue was discovered in guardsix (formerly Logpoint) ODBC Enrichment Plugins before 5.2.1 (5.2.1 is used in guardsix 7.9.0.0). A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When…
more
editing an existing Enrichment Source, previously stored credentials were retained even if the connection endpoint was changed. An authenticated Operator user could redirect the database connection to unintended internal systems, resulting in SSRF and potential misuse of valid stored credentials.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SSRF vulnerability (CWE-918) allows an authenticated user to edit an Enrichment Source and redirect ODBC database connections to arbitrary internal endpoints while retaining stored credentials, directly enabling exploitation of a public-facing application (T1190) and unauthorized access to data from internal information repositories such as databases (T1213).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the logic flaw by requiring timely identification, reporting, and correction through vendor-recommended upgrade to ODBC Enrichment Plugins 5.2.1 or later.
Restricts access to editing Enrichment Sources to authorized personnel only, preventing authenticated Operator users from modifying connection endpoints without appropriate privileges.
Enforces least privilege to ensure Operator roles do not have unnecessary permissions to edit database connection details in Enrichment Sources, blocking the SSRF exploit path.