PT-2026-7118 · Checkmk · Checkmk
Published
2026-02-09
·
Updated
2026-02-09
·
CVE-2026-24095
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Checkmk versions 2.2.0, 2.3.0 through 2.3.0p42, and 2.4.0 through 2.4.0p20
Description
A flaw exists in Checkmk that relates to improper permission enforcement. Users possessing the "Use WATO" permission can access the "Analyze configuration" page directly via its URL, circumventing the necessary "Access analyze configuration" permission check. If these users also have the "Make changes, perform actions" permission, they are able to perform unauthorized actions, including disabling checks or acknowledging results.
Recommendations
Update Checkmk to version 2.2.0p43 or later.
Update Checkmk to version 2.3.0p43 or later.
Update Checkmk to version 2.4.0p21 or later.
Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Checkmk