Skip to main content
CVE Vulnerability Database

CVE-2026-9549: Checkmk Stored XSS Vulnerability

CVE-2026-9549 is a stored cross-site scripting flaw in Checkmk's service discovery that allows administrators to inject malicious code. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-9549 Overview

CVE-2026-9549 is a stored cross-site scripting (XSS) vulnerability in the Checkmk monitoring platform. The flaw resides in the service discovery active check output rendering path. An authenticated administrator who can configure active or custom checks can inject malicious HTML or JavaScript into check output. The payload executes in the browser of any administrator or user with host read permissions when the check runs on the service discovery page. The issue affects Checkmk versions prior to 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases. The weakness is categorized under CWE-79.

Critical Impact

A privileged Checkmk user with check configuration rights can plant persistent JavaScript that runs in higher-privileged admin sessions, enabling session abuse and configuration tampering within the monitoring environment.

Affected Products

  • Checkmk 2.2.0 (all versions, including betas and patch levels p1–p47)
  • Checkmk 2.3.0 prior to 2.3.0p48
  • Checkmk 2.4.0 prior to 2.4.0p31 and Checkmk 2.5.0 prior to 2.5.0p5

Discovery Timeline

  • 2026-06-08 - CVE-2026-9549 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-9549

Vulnerability Analysis

The vulnerability is a stored cross-site scripting flaw in the rendering of active check output on Checkmk's service discovery page. Active and custom checks let administrators define commands whose output is captured and displayed in the web UI. The service discovery view does not sufficiently sanitize or HTML-encode this output before rendering it in the browser. As a result, HTML or JavaScript inside the check output is treated as live markup rather than text. Because the malicious content originates from a stored check configuration, the payload fires whenever a victim user triggers the discovery view for the affected host. Targets include administrators and any user holding host read permissions, which broadens the impact beyond the attacker's own session.

Root Cause

The root cause is improper neutralization of input during web page generation [CWE-79]. Output from active or custom checks is rendered into the service discovery page without consistent contextual escaping. Checkmk treats the check command's stdout as trusted display content, but the value is attacker-controlled by anyone authorized to define checks. Vendor advisory Checkmk Werk 17993 documents the corrected output handling.

Attack Vector

Exploitation requires an authenticated account with high privileges, specifically the right to configure active or custom checks. The attacker stores a check whose output includes HTML or JavaScript markup. When another user, such as an administrator or a host reader, navigates to the service discovery page and runs the check, the rendered output executes the script in their browser context. This allows the attacker to perform actions in the victim's session, read DOM content, or pivot configuration changes through the Checkmk web UI. User interaction by the victim is required to trigger discovery.

No verified public proof-of-concept code is available for CVE-2026-9549. Refer to the Checkmk Werk 17993 advisory for vendor-provided technical context.

Detection Methods for CVE-2026-9549

Indicators of Compromise

  • Active or custom check definitions containing HTML tags such as <script>, <img onerror=...>, or inline event handlers in command names, arguments, or output templates.
  • Unexpected audit log entries showing creation or modification of active or custom checks by accounts that do not normally manage checks.
  • Browser console errors or content security policy (CSP) violations originating from /check_mk/ service discovery pages.

Detection Strategies

  • Review the Checkmk audit log and WATO configuration history for recent changes to active or custom check definitions.
  • Scan rule and check configurations for HTML or JavaScript syntax patterns (<script, onerror=, javascript:) that should not appear in legitimate check output.
  • Correlate web access logs to the service discovery endpoints with administrative session activity to identify anomalous viewing patterns.

Monitoring Recommendations

  • Alert on configuration changes to active checks and custom checks, especially by non-standard accounts or outside change windows.
  • Monitor browser CSP reports if Checkmk is fronted by a reverse proxy that injects a report-uri policy.
  • Track privileged user logins and session reuse to detect post-exploitation session hijacking.

How to Mitigate CVE-2026-9549

Immediate Actions Required

  • Upgrade Checkmk to a fixed release: 2.5.0p5, 2.4.0p31, 2.3.0p48, or newer. The 2.2.0 branch is affected in all versions and should be migrated to a supported, patched release.
  • Audit and remove any active or custom checks containing HTML or JavaScript markup in their output.
  • Review accounts with permission to configure active or custom checks and revoke this right from users who do not require it.

Patch Information

Checkmk has published fixes through the official Werk tracking system. See Checkmk Werk 17993 for the change description and fixed versions. Apply the patched release matching your current branch (2.3.0p48, 2.4.0p31, or 2.5.0p5), or migrate off the unsupported 2.2.0 branch.

Workarounds

  • Restrict the permission to configure active and custom checks to a minimal set of trusted administrators until patching is complete.
  • Avoid opening the service discovery page for hosts whose checks were modified by untrusted users until those configurations are reviewed.
  • Deploy a strict Content Security Policy at the reverse proxy layer to limit inline script execution in the Checkmk UI as a defense-in-depth control.
bash
# Example: verify installed Checkmk version on a site
omd version

# Example: list active and custom checks for review (run as site user)
cmk -L | grep -Ei 'active|custom'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.