Skip to main content
CVE Vulnerability Database

CVE-2026-8078: Checkmk Stored XSS Vulnerability

CVE-2026-8078 is a stored XSS vulnerability in Checkmk's global settings change log that allows administrators to inject malicious scripts. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-8078 Overview

CVE-2026-8078 is a stored cross-site scripting (XSS) vulnerability in the global settings change log component of Checkmk, an IT infrastructure monitoring platform. An administrator with permissions to modify global settings can inject malicious HTML or JavaScript into changelog messages. The payload then executes in the browsers of other users who view the Activate Changes page or Audit log.

The flaw is tracked under CWE-79 and affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases. Successful exploitation requires high privileges and user interaction, limiting its blast radius to multi-administrator deployments.

Critical Impact

A privileged administrator can persist JavaScript that executes in other administrators' authenticated sessions, enabling session abuse, configuration tampering, or lateral movement within the monitoring platform.

Affected Products

  • Checkmk <2.5.0p5
  • Checkmk <2.4.0p31
  • Checkmk <2.3.0p48
  • Checkmk 2.2.0 (all versions, including betas and patch levels)

Discovery Timeline

  • 2026-06-08 - CVE-2026-8078 published to NVD
  • 2026-06-08 - Last updated in NVD database
  • 2026-06-08 - Vendor advisory Checkmk Werk 17992 published

Technical Details for CVE-2026-8078

Vulnerability Analysis

The vulnerability resides in how Checkmk renders entries written to the global settings change log. When an administrator modifies a global setting, Checkmk records the change in a changelog message that is later displayed on the Activate Changes page and within the Audit log view.

The application stores user-controllable text from those changes and renders it in the web interface without adequately neutralizing HTML or JavaScript content. Any script payload embedded in a logged message executes in the browser context of subsequent viewers, inheriting their Checkmk session.

Exploitation requires authenticated access with permissions to alter global settings, and a second user must load the affected page. The attack vector is network-based, and the impact is limited to integrity loss within the web application and a small confidentiality impact on the rendering user.

Root Cause

The root cause is insufficient output encoding (CWE-79) of strings persisted into the change log. The rendering pipeline for the Activate Changes and Audit log views does not escape HTML metacharacters in stored changelog messages, allowing the browser to interpret attacker-controlled markup as active content rather than text.

Attack Vector

An attacker first obtains an account with the wato.global or equivalent permission to modify global settings. They submit a configuration change whose accompanying changelog message contains an HTML or JavaScript payload. When another administrator opens the Activate Changes page or reviews the Audit log, the stored payload is rendered inline and executes under that user's session, enabling cookie theft, forced configuration changes, or CSRF-style follow-on actions against Checkmk's management endpoints.

No verified public proof-of-concept code is available. Refer to the Checkmk Werk 17992 advisory for vendor-supplied technical details.

Detection Methods for CVE-2026-8078

Indicators of Compromise

  • Changelog or Audit log entries containing HTML tags such as <script>, <img onerror=, <svg onload=, or javascript: URIs in the message body.
  • Unexpected outbound requests from administrator browsers immediately after loading the Activate Changes page.
  • Global setting modifications committed by accounts that do not typically perform configuration work.

Detection Strategies

  • Parse Checkmk audit log exports for changelog messages containing angle brackets, event handler attributes (on*=), or encoded script sequences.
  • Correlate administrator session activity in web access logs with anomalous JavaScript-driven API calls to /check_mk/wato.py or related endpoints.
  • Hunt for newly created or modified Checkmk users, automation secrets, or notification rules that follow suspicious changelog entries.

Monitoring Recommendations

  • Forward Checkmk web.log, audit.log, and Apache access logs to a centralized log platform and alert on suspicious markup in change log fields.
  • Review the list of accounts holding the global settings permission and monitor their activity on a recurring basis.
  • Enforce browser Content Security Policy reporting where supported to surface inline script execution attempts.

How to Mitigate CVE-2026-8078

Immediate Actions Required

  • Upgrade Checkmk to 2.5.0p5, 2.4.0p31, 2.3.0p48, or later as appropriate for your release branch.
  • Retire the 2.2.0 branch, which receives no fix for this issue, by migrating to a supported, patched version.
  • Audit the global settings change log and Audit log for any pre-existing entries containing HTML or scripting payloads and remove them.
  • Restrict the global settings permission to the minimum number of trusted administrators.

Patch Information

Checkmk has published the fix in Checkmk Werk 17992. Apply the corresponding patch release for your branch: 2.5.0p5, 2.4.0p31, or 2.3.0p48. Customers on 2.2.0 must upgrade to a supported branch because that line is not patched.

Workarounds

  • Limit accounts with permission to modify global settings to vetted administrators until patching is complete.
  • Instruct administrators to avoid the Activate Changes and Audit log pages on unpatched systems where untrusted operators have configuration access.
  • Place the Checkmk web interface behind a reverse proxy that enforces a strict Content Security Policy disallowing inline scripts.
bash
# Example: upgrade an OMD-managed Checkmk site to the patched version
omd stop mysite
omd update mysite   # select the patched version, e.g. 2.4.0p31
omd start mysite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.