Skip to main content

Checkmk EUVDEUVD-2026-21346

| CVE-2026-33457 MEDIUM
Improper Neutralization of Delimiters (CWE-140)
2026-04-10 Checkmk GHSA-8gxr-c98h-cwxm
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.4.0p26,2.3.0p47,2.5.0b4
EUVD ID Assigned
Apr 10, 2026 - 08:45 euvd
EUVD-2026-21346
Analysis Generated
Apr 10, 2026 - 08:45 vuln.today
CVE Published
Apr 10, 2026 - 08:31 nvd
MEDIUM 5.3

DescriptionCVE.org

Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.

AnalysisAI

Livestatus command injection in Checkmk prediction graph page allows authenticated users to execute arbitrary Livestatus commands by injecting malicious service name parameters due to insufficient input sanitization. Affected versions include Checkmk 2.3.0 before p47, 2.4.0 before p26, and 2.5.0 before b4. The vulnerability requires valid authentication credentials to exploit and results in limited confidentiality, integrity, and availability impact within the Livestatus subsystem.

Technical ContextAI

Checkmk's prediction graph page processes service description values that are passed to Livestatus, the monitoring system's query interface. The vulnerability stems from CWE-140 (Improper Neutralization of Delimiters), where user-controlled service name parameters are not properly sanitized before being incorporated into Livestatus command syntax. This allows an authenticated attacker to inject arbitrary Livestatus protocol commands by crafting malicious service names that break out of the intended command context. Livestatus is Checkmk's internal query language used for real-time monitoring data access, and injection at this layer can permit unauthorized data access or manipulation within the monitoring infrastructure.

RemediationAI

Upgrade Checkmk to patched versions: 2.3.0p47 or later, 2.4.0p26 or later, or 2.5.0b4 or later, depending on your current branch. These releases include proper sanitization of service name parameters before they are processed by Livestatus. Consult the official Checkmk advisory at https://checkmk.com/werk/17990 and the NVD detail page at https://nvd.nist.gov/vuln/detail/CVE-2026-33457 for download links and installation instructions. Organizations unable to patch immediately should restrict Checkmk user access to trusted personnel only and monitor Livestatus logs for unusual command patterns.

CVE-2017-14955 MEDIUM POC
5.9 Oct 02

Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi

CVE-2021-40904 HIGH POC
8.8 Mar 25

The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok

CVE-2021-40905 HIGH POC
8.8 Mar 25

The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo

CVE-2024-28825 CRITICAL
9.8 Apr 24

Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta

CVE-2021-36563 MEDIUM POC
5.4 Jul 26

The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W

CVE-2025-39666 CRITICAL
9.3 Apr 07

Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co

CVE-2024-8606 CRITICAL
9.2 Sep 23

Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass

CVE-2023-31211 HIGH
8.8 Jan 12

Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent

CVE-2025-32918 HIGH
8.8 Jul 04

A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated

CVE-2023-6735 HIGH
8.8 Jan 12

Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal

CVE-2023-6740 HIGH
8.8 Jan 12

Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t

CVE-2024-28828 HIGH
8.8 Jul 10

Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com

Share

EUVD-2026-21346 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy