Skip to main content
CVE Vulnerability Database

CVE-2026-7765: Checkmk Auth Bypass Vulnerability

CVE-2026-7765 is an authentication bypass flaw in Checkmk that exposes dashboard creators' personal messages to attackers with valid share tokens. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-7765 Overview

CVE-2026-7765 is an incorrect authorization vulnerability [CWE-863] in the User Messages dashboard widget in Checkmk versions prior to 2.5.0p5. The message-fetching endpoints return the dashboard creator's messages instead of the viewer's. An attacker who knows a valid public dashboard share token can read the issuer's personal messages by sending requests directly to the underlying endpoint. The flaw is exploitable even when no User Messages widget is present on the dashboard. Exploitation requires network access and no authentication, making the attack surface accessible to any user who obtains a share token.

Critical Impact

Unauthenticated attackers holding a public dashboard share token can read the dashboard issuer's personal messages from Checkmk, exposing sensitive operational and account-related information.

Affected Products

  • Checkmk 2.5.0 (including beta releases b1, b2, b3)
  • Checkmk 2.5.0p1 through 2.5.0p4
  • All Checkmk builds prior to 2.5.0p5

Discovery Timeline

  • 2026-06-08 - CVE-2026-7765 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-7765

Vulnerability Analysis

The vulnerability resides in the Checkmk dashboard subsystem, specifically the User Messages widget and its supporting endpoints. Checkmk supports publicly shareable dashboards through share tokens, allowing anonymous viewers to access dashboard content scoped to the dashboard's creator. When the User Messages widget loads, the message-fetching endpoint should resolve the recipient context against the requesting viewer's session. Instead, it resolves messages against the dashboard creator (the issuer) and returns their personal user messages to the viewer. The mismatch between authorization context and data ownership leads to unintended disclosure of the issuer's messages to any party with a valid share token.

Root Cause

The root cause is a broken authorization check [CWE-863] in the message-fetching endpoint. The endpoint trusts the dashboard creator's identity as the message owner rather than enforcing access based on the authenticated viewer. Because the underlying endpoint is reachable independently of the widget being placed on the dashboard, the missing authorization extends to any caller who can present a share token.

Attack Vector

An attacker first obtains a public dashboard share token, which is intended for low-sensitivity, anonymous read access. The attacker then issues HTTP requests directly to the message endpoint, passing the share token. The endpoint responds with the dashboard issuer's personal messages, even if the dashboard does not include a User Messages widget. No prior authentication, social engineering, or privilege escalation is required beyond possessing a valid share token.

No public proof-of-concept code is available for CVE-2026-7765. For implementation specifics, refer to the Checkmk Werk 19815 advisory.

Detection Methods for CVE-2026-7765

Indicators of Compromise

  • Unexpected HTTP requests to Checkmk User Messages endpoints originating from clients that only hold public dashboard share tokens.
  • Access log entries showing repeated message-endpoint calls correlated with public dashboard URLs rather than authenticated sessions.
  • Anonymous or unauthenticated user agents retrieving JSON payloads containing message content fields belonging to administrators or operators.

Detection Strategies

  • Review Checkmk web access logs for requests to message-fetching paths that include share-token query parameters or referer headers from public dashboards.
  • Correlate share-token usage with high-volume or scripted access patterns that diverge from normal dashboard viewing behavior.
  • Audit which Checkmk users have created public dashboards and inspect whether their accounts hold sensitive User Messages.

Monitoring Recommendations

  • Enable verbose request logging on the Checkmk Apache or nginx front end to capture endpoint paths, share-token identifiers, and client IPs.
  • Forward Checkmk web and audit logs to a centralized SIEM for retention and anomaly analysis against share-token traffic baselines.
  • Alert on any access to message endpoints that does not originate from an authenticated session cookie tied to the message owner.

How to Mitigate CVE-2026-7765

Immediate Actions Required

  • Upgrade Checkmk to version 2.5.0p5 or later, which corrects the authorization check on message-fetching endpoints.
  • Inventory and revoke existing public dashboard share tokens for dashboards owned by accounts that may have received sensitive User Messages.
  • Restrict the creation of public dashboards to accounts that do not handle privileged operational notifications.

Patch Information

The vendor released the fix in Checkmk 2.5.0p5. Details are documented in the Checkmk Werk 19815 advisory. The patch corrects the endpoint logic so that message retrieval is scoped to the authenticated viewer rather than the dashboard issuer.

Workarounds

  • Disable or remove public dashboard sharing until the upgrade to 2.5.0p5 can be applied.
  • Place the Checkmk web interface behind an authenticating reverse proxy that blocks anonymous access to message endpoints.
  • Rotate share tokens after upgrading to invalidate any tokens previously exposed to untrusted parties.
bash
# Example: identify the running Checkmk version on a site
omd version

# Example: upgrade an OMD site to the patched Checkmk release
omd stop mysite
omd update mysite --version 2.5.0p5.cre
omd start mysite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.