Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present.
AnalysisAI
Incorrect authorization in Checkmk's User Messages dashboard widget exposes the dashboard creator's personal messages to any party possessing a valid public dashboard share token. The message-fetching endpoints resolve messages using the dashboard creator's identity rather than the requesting party's identity, meaning that direct API calls with a share token return the issuer's private messages regardless of whether the User Messages widget is actually present on the shared dashboard. All Checkmk deployments running versions prior to 2.5.0p5 that use the public dashboard sharing feature are affected. No public exploit has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Technical ContextAI
Checkmk (CPE: cpe:2.3:a:checkmk_gmbh:checkmk) is an enterprise IT infrastructure monitoring platform. Its dashboard system supports public share tokens that allow unauthenticated viewers to access specific dashboards. The User Messages widget within those dashboards calls a backend message-fetching endpoint. The root cause, classified as CWE-863 (Incorrect Authorization), is that the endpoint resolves the message subject from the dashboard's creator context rather than the context of the token-bearing requester - an authorization logic flaw distinct from missing checks entirely. Because the vulnerable endpoint can be called directly with a share token independent of widget presence, the attack surface extends beyond dashboards that visually include the widget.
RemediationAI
Upgrade Checkmk to version 2.5.0p5 or later, which is the vendor-confirmed patched release per advisory https://checkmk.com/werk/19815. If immediate upgrade is not feasible, the primary compensating control is to disable public dashboard sharing entirely within Checkmk's global settings, which removes the unauthenticated token-bearing access path and eliminates the attack surface; note that this will break any externally shared dashboard links currently in use. A more targeted workaround is to audit existing shared dashboards and revoke or regenerate share tokens for dashboards whose creators have sensitive messages, reducing exposure while maintaining sharing for lower-risk dashboards. Removing the User Messages widget from shared dashboards is insufficient as a workaround because the underlying endpoint is exploitable independently of widget presence.
Check_MK before 1.2.8p26 mishandles certain errors within the failed-login save feature because of a race condition, whi
The web management console of CheckMK Raw Edition (versions 1.5.0 to 1.6.0) allows a misconfiguration of the web-app Dok
The web management console of CheckMK Enterprise Edition (versions 1.5.0 to 2.0.0p9) does not properly sanitise the uplo
Improper restriction of excessive authentication attempts on some authentication methods in Checkmk before 2.3.0b5 (beta
The CheckMK management web console (versions 1.5.0 to 2.0.0) does not sanitise user input in various parameters of the W
Local privilege escalation in Checkmk allows site users with high privileges to escalate to root by manipulating site co
Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass
Insufficient authentication flow in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows attacker to use locked credent
A security vulnerability in autocomplete endpoint within the RestAPI of Checkmk (CVSS 8.8) that allows an authenticated
Privilege escalation in mk_tsm agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user to escal
Privilege escalation in jar_signature agent plugin in Checkmk before 2.2.0p18, 2.1.0p38 and 2.0.0p39 allows local user t
Cross-Site request forgery in Checkmk < 2.3.0p8, < 2.2.0p29, < 2.1.0p45, and <= 2.0.0p39 (EOL) could lead to 1-click com
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35051
GHSA-2x95-frx4-wh7r