CVE-2026-2859 Overview
CVE-2026-2859 is an improper permission enforcement vulnerability in Checkmk, an IT infrastructure monitoring platform. The flaw resides in the deploy_agent endpoint, which returns different HTTP response codes depending on whether a requested host exists. Unauthenticated remote attackers can exploit this oracle behavior to enumerate valid host names registered in a Checkmk installation. The issue affects Checkmk 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and end-of-life 2.2.0 releases. The vulnerability is classified under CWE-204: Observable Response Discrepancy and results in information disclosure that aids reconnaissance.
Critical Impact
Unauthenticated attackers can map internal infrastructure by enumerating monitored hosts, providing a foothold for targeted follow-on attacks.
Affected Products
- Checkmk 2.4.0 prior to 2.4.0p23
- Checkmk 2.3.0 prior to 2.3.0p43
- Checkmk 2.2.0 (end-of-life, no fix available)
Discovery Timeline
- 2026-03-13 - CVE-2026-2859 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-2859
Vulnerability Analysis
The vulnerability stems from inconsistent HTTP response handling in the deploy_agent endpoint of the Checkmk web interface. When the endpoint receives a request referencing a host name, it returns distinct response codes for existing versus non-existent hosts. This response discrepancy creates an observable side channel that does not require authentication to query. Attackers can iterate through candidate host names and infer which entries exist in the Checkmk configuration based solely on the HTTP status code returned. The disclosed information has no direct impact on integrity or availability, but it exposes the internal asset inventory monitored by Checkmk.
Root Cause
The deploy_agent endpoint enforces permission checks after host lookup rather than before. Existing hosts produce an authorization or permission-related response, while requests for non-existent hosts produce a different not-found style response. This sequencing means the endpoint reveals existence information to anonymous callers before any access control decision is finalized, violating the principle of returning uniform responses for unauthenticated requests.
Attack Vector
An unauthenticated attacker with network access to the Checkmk web interface sends repeated HTTP requests to the deploy_agent endpoint, varying the host parameter across a target wordlist. By comparing response codes, the attacker compiles a list of monitored hosts. This enumeration supports reconnaissance for downstream attacks targeting newly discovered systems. No verified public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Checkmk Security Update Werk 18994 for vendor-supplied technical details.
Detection Methods for CVE-2026-2859
Indicators of Compromise
- High-volume sequential HTTP requests to the deploy_agent endpoint from a single source IP
- Requests targeting the deploy_agent path with iterated or wordlist-style host parameters
- Spikes in 4xx response codes from the Checkmk web interface within short time windows
- Anonymous or unauthenticated access patterns probing host-specific URLs prior to a valid login
Detection Strategies
- Monitor Checkmk web server access logs for repeated requests to deploy_agent with varying host identifiers
- Implement rate-limiting alerts on unauthenticated requests reaching agent deployment URLs
- Correlate response code distributions per source IP to identify enumeration behavior
Monitoring Recommendations
- Forward Checkmk Apache and site access logs to a centralized SIEM for analysis
- Baseline normal deploy_agent traffic volume and alert on statistical deviations
- Review reverse-proxy or WAF logs in front of Checkmk for scanning signatures and bot user agents
How to Mitigate CVE-2026-2859
Immediate Actions Required
- Upgrade Checkmk 2.4.0 installations to version 2.4.0p23 or later
- Upgrade Checkmk 2.3.0 installations to version 2.3.0p43 or later
- Migrate Checkmk 2.2.0 deployments to a supported branch since 2.2.0 is end-of-life and will not receive a patch
- Restrict network exposure of the Checkmk web interface to trusted management networks
Patch Information
Checkmk has released fixed versions 2.4.0p23 and 2.3.0p43 that address the response discrepancy in the deploy_agent endpoint. Refer to the official advisory at Checkmk Werk 18994 for upgrade instructions and the full list of resolved issues.
Workarounds
- Place the Checkmk web interface behind a VPN or zero-trust gateway to eliminate unauthenticated internet access
- Configure reverse-proxy authentication in front of the Checkmk site so anonymous requests cannot reach deploy_agent
- Apply WAF rules that rate-limit or block unauthenticated access to the agent deployment URL path
# Configuration example: Apache reverse-proxy rule to require authentication
# before requests reach the Checkmk deploy_agent endpoint
<Location "/mysite/check_mk/deploy_agent.py">
AuthType Basic
AuthName "Checkmk Admin"
AuthUserFile /etc/apache2/checkmk.htpasswd
Require valid-user
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

