CVE-2026-24097 in Checkmk
Summary
by MITRE • 03/13/2026
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows authenticated users to enumerate existing hosts by observing different HTTP response codes in agent-receiver/register_existing endpoint, which could lead to information disclosure.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/20/2026
This vulnerability resides in the Checkmk monitoring platform where improper permission enforcement enables authenticated users to perform host enumeration through differential analysis of HTTP response codes. The flaw exists in the agent-receiver/register_existing endpoint across multiple affected versions including 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and the end-of-life 2.2.0 release. The vulnerability stems from insufficient access control validation that fails to properly verify user permissions before exposing information about system hosts.
The technical implementation of this flaw allows an authenticated attacker to exploit the endpoint by sending requests with different host identifiers and observing variations in HTTP response codes. This differential response behavior reveals whether specific hosts exist within the monitored infrastructure, effectively enabling unauthorized enumeration of the system's host inventory. The vulnerability operates under CWE-284 which categorizes improper access control issues, specifically targeting the principle of least privilege enforcement. Attackers can leverage this information disclosure to map the target environment's network topology and identify potential attack surfaces.
From an operational impact perspective, this vulnerability compromises the confidentiality aspect of the security triad by providing unauthorized visibility into the monitored host infrastructure. An attacker could use this information to plan more targeted attacks, identify systems with specific vulnerabilities, or conduct reconnaissance for lateral movement within the network. The exposure of host enumeration data aligns with ATT&CK technique T1082 which involves discovering host network information, and T1590 which covers reconnaissance activities targeting network infrastructure. This vulnerability is particularly concerning in environments where the monitoring system serves as a critical component of security infrastructure, as it undermines the integrity of the security monitoring framework.
The mitigation strategy involves upgrading to the patched versions of Checkmk where the permission enforcement has been properly implemented. Organizations should also implement network segmentation and access controls to limit the exposure of the agent-receiver endpoints to only authorized users and systems. Additional defensive measures include monitoring for unusual patterns of requests to the affected endpoint and implementing rate limiting to prevent automated enumeration attempts. The vulnerability demonstrates the critical importance of proper access control implementation in security monitoring systems where the exposure of infrastructure information can significantly impact overall security posture. Organizations should conduct thorough security assessments of their monitoring infrastructure to identify similar permission enforcement issues that could lead to information disclosure vulnerabilities.