CVE-2026-24095
📋 TL;DR
This CVE describes an authorization bypass vulnerability in Checkmk monitoring software. Users with 'Use WATO' permission can access the 'Analyze configuration' page by directly navigating to its URL, circumventing the intended 'Access analyze configuration' permission check. If these users also have 'Make changes, perform actions' permission, they can perform unauthorized actions like disabling checks or acknowledging results.
💻 Affected Systems
- Checkmk
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Authorized but lower-privileged users could disable critical monitoring checks, acknowledge alerts to hide security incidents, or modify monitoring configurations to evade detection of malicious activities.
Likely Case
Users with WATO access but without analyze configuration permissions could view sensitive configuration details and potentially make unauthorized changes to monitoring settings if they also have change permissions.
If Mitigated
With proper permission segregation and least privilege principles, impact is limited to unauthorized viewing of configuration analysis pages without ability to make changes.
🎯 Exploit Status
Exploitation requires authenticated access with 'Use WATO' permission and involves simple URL navigation bypass.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.0p21 for 2.4.0, 2.3.0p43 for 2.3.0
Vendor Advisory: https://checkmk.com/werk/19032
Restart Required: Yes
Instructions:
1. Backup your Checkmk configuration. 2. Update to patched version using your distribution's package manager or Checkmk's update mechanism. 3. Restart Checkmk services. 4. Verify the fix by testing permission enforcement.
🔧 Temporary Workarounds
Temporary permission restriction
allTemporarily remove 'Use WATO' permission from users who don't absolutely need it until patching can be completed.
# Edit user permissions in Checkmk WATO interface
🧯 If You Can't Patch
- Implement strict network segmentation to limit access to Checkmk web interface only to authorized administrators
- Enable detailed audit logging for all WATO and configuration analysis activities and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check your Checkmk version and compare against affected versions. Test if users with only 'Use WATO' permission can access /check_mk/analyze_config.py directly.Check Version:
omd versionVerify Fix Applied:
After patching, verify that users with only 'Use WATO' permission cannot access the analyze configuration page via direct URL navigation.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /check_mk/analyze_config.py
- Configuration changes by users without proper 'Access analyze configuration' permission
Network Indicators:
- HTTP GET requests to analyze configuration endpoints from unauthorized users
SIEM Query:
source="checkmk" AND (url_path="/check_mk/analyze_config.py" OR action="analyze_config") AND user_permission!="Access analyze configuration"