CVE-2026-24096 (GCVE-0-2026-24096)
Vulnerability from cvelistv5 – Published: 2026-04-01 10:07 – Updated: 2026-04-01 12:37
VLAI?
Title
Insufficient permission validation on multiple REST API Quick Setup endpoints
Summary
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
Severity ?
CWE
- CWE-280 - Improper Handling of Insufficient Permissions or Privileges
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Checkmk GmbH | Checkmk |
Affected:
2.5.0b1 , < 2.5.0b2
(semver)
Affected: 2.4.0 , < 2.4.0p25 (semver) |
Credits
PS Positive Security GmbH
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:36:52.848008Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:37:04.819Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Checkmk",
"vendor": "Checkmk GmbH",
"versions": [
{
"lessThan": "2.5.0b2",
"status": "affected",
"version": "2.5.0b1",
"versionType": "semver"
},
{
"lessThan": "2.4.0p25",
"status": "affected",
"version": "2.4.0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.5.0b2",
"versionStartIncluding": "2.5.0b1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.4.0p25",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "PS Positive Security GmbH"
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information"
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-280",
"description": "CWE-280: Improper Handling of Insufficient Permissions or Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T10:07:21.670Z",
"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"shortName": "Checkmk"
},
"references": [
{
"url": "https://checkmk.com/werk/18989"
}
],
"title": "Insufficient permission validation on multiple REST API Quick Setup endpoints",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f",
"assignerShortName": "Checkmk",
"cveId": "CVE-2026-24096",
"datePublished": "2026-04-01T10:07:21.670Z",
"dateReserved": "2026-01-21T14:39:24.128Z",
"dateUpdated": "2026-04-01T12:37:04.819Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-24096\",\"sourceIdentifier\":\"security@checkmk.com\",\"published\":\"2026-04-01T11:15:58.423\",\"lastModified\":\"2026-04-07T20:51:23.327\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security@checkmk.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security@checkmk.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-280\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"022C075A-4B04-4141-A7D7-F93C9A7CE0FD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b1:*:*:*:*:*:*\",\"matchCriteriaId\":\"60C00469-0CD1-4E9C-8370-CE113842056C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b2:*:*:*:*:*:*\",\"matchCriteriaId\":\"179905FC-821F-4214-A872-E4E3702419D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b3:*:*:*:*:*:*\",\"matchCriteriaId\":\"04956994-D5A8-45EE-9DC2-8A1D3058CE8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8868449B-7259-4C3B-8344-0EFE0BA3A97E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b5:*:*:*:*:*:*\",\"matchCriteriaId\":\"BBDF3A13-582F-43D2-B42F-0DC42D4FBFBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:b6:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAF500B3-AA6A-4618-BC7E-0F214B795E0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CFE68AB-1F57-497C-9229-29ED3A73D87F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p10:*:*:*:*:*:*\",\"matchCriteriaId\":\"577F9F72-2FDA-4F87-A840-05158F2368B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p11:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F3AD894-660B-41FC-B910-899A764A00B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p12:*:*:*:*:*:*\",\"matchCriteriaId\":\"21853BB4-1BB5-40E3-82E2-253899D898ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p13:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7963D66-A89A-4167-A2BA-DFF89B439EAE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p14:*:*:*:*:*:*\",\"matchCriteriaId\":\"42099281-2026-4507-A20B-C669C206ADB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p15:*:*:*:*:*:*\",\"matchCriteriaId\":\"29A44B1E-83CD-4A3D-AFFD-82AAC7760293\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p16:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4B87192-D81E-4269-ABF3-8D700BB531B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p17:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D35CD46-F8CF-49C3-8CD9-53E1ED038023\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p18:*:*:*:*:*:*\",\"matchCriteriaId\":\"D5B5649C-C0BA-4905-98DD-CA606DD2B886\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p19:*:*:*:*:*:*\",\"matchCriteriaId\":\"29148EA6-675F-4B35-81BF-B8254C1EB675\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B11306B4-1092-470C-BA87-DBD02A18A74B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p20:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E85F65E-A103-425E-8AD5-7EE9F093B463\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p21:*:*:*:*:*:*\",\"matchCriteriaId\":\"65DF329A-4E2D-4138-99C5-6765789051CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p22:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B9B340D-84F6-4CE9-A627-E26F340B3705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p23:*:*:*:*:*:*\",\"matchCriteriaId\":\"CCAD0F84-7273-4FDF-B238-177E1C4D5F5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p24:*:*:*:*:*:*\",\"matchCriteriaId\":\"860D2E5C-6277-44F5-A3FE-C085F76B8514\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"74F78C48-030A-48A1-B69E-04C4EA5CCC12\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8701A914-774B-4E3B-A651-4A9FD19A187A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"19E40054-C44D-4C4C-B077-0333D8201E5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E2D2F49-32B2-42AA-B99E-7C39403CF104\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"ACE440F8-EBF5-4DBB-A215-57D770C66219\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p8:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A94395D-DDCE-4977-89CA-46F71C3CA2B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.4.0:p9:*:*:*:*:*:*\",\"matchCriteriaId\":\"9513876C-8DF0-4A59-864F-8401BAA43376\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:checkmk:checkmk:2.5.0:b1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F8943BB3-1487-494C-B4EB-89EB0B18B6A2\"}]}]}],\"references\":[{\"url\":\"https://checkmk.com/werk/18989\",\"source\":\"security@checkmk.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-24096\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-01T12:36:52.848008Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-01T12:36:59.856Z\"}}], \"cna\": {\"title\": \"Insufficient permission validation on multiple REST API Quick Setup endpoints\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"PS Positive Security GmbH\"}], \"impacts\": [{\"capecId\": \"CAPEC-180\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels\"}]}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N\"}}], \"affected\": [{\"vendor\": \"Checkmk GmbH\", \"product\": \"Checkmk\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.5.0b1\", \"lessThan\": \"2.5.0b2\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"2.4.0\", \"lessThan\": \"2.4.0p25\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://checkmk.com/werk/18989\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-280\", \"description\": \"CWE-280: Improper Handling of Insufficient Permissions or Privileges\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.5.0b2\", \"versionStartIncluding\": \"2.5.0b1\"}, {\"criteria\": \"cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2.4.0p25\", \"versionStartIncluding\": \"2.4.0\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"f7d6281c-4801-44ce-ace2-493291dedb0f\", \"shortName\": \"Checkmk\", \"dateUpdated\": \"2026-04-01T10:07:21.670Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-24096\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-01T12:37:04.819Z\", \"dateReserved\": \"2026-01-21T14:39:24.128Z\", \"assignerOrgId\": \"f7d6281c-4801-44ce-ace2-493291dedb0f\", \"datePublished\": \"2026-04-01T10:07:21.670Z\", \"assignerShortName\": \"Checkmk\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…