CVE-2026-2859 in Checkmk
Summary
by MITRE • 03/13/2026
Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/20/2026
The vulnerability identified as CVE-2026-2859 represents a critical permission enforcement flaw within the Checkmk monitoring platform that affects multiple version streams including 2.4.0 prior to p23, 2.3.0 prior to p43, and the end-of-life 2.2.0 release. This issue stems from inadequate access controls in the deploy_agent endpoint, which serves as a critical interface for agent deployment and host management within the monitoring infrastructure. The flaw enables unauthenticated attackers to perform host enumeration through passive observation of varying HTTP response codes, creating a significant information disclosure risk that could compromise the entire monitoring ecosystem.
The technical implementation of this vulnerability exploits the lack of proper authentication checks in the deploy_agent endpoint, which should require valid credentials or authorization tokens to access host enumeration capabilities. When unauthenticated requests are made to this endpoint, the system responds with different HTTP status codes based on whether the requested host exists within the monitored environment. This differential response behavior creates a side-channel attack vector where attackers can systematically query the endpoint with various host identifiers and analyze the response codes to determine which hosts are actively monitored by the Checkmk instance. The vulnerability specifically affects the HTTP response code handling mechanism, where successful host queries return different status codes compared to non-existent hosts, thereby leaking information about the system's host inventory without requiring any legitimate credentials or access permissions.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with valuable reconnaissance data that could facilitate subsequent attacks targeting specific hosts within the monitored environment. An attacker could use this information to identify critical systems, determine network topology, and prioritize targets for further exploitation. The vulnerability particularly affects organizations that rely on Checkmk for infrastructure monitoring, as it undermines the security assumptions of the monitoring platform itself. The exposure of host enumeration capabilities through unauthenticated access represents a fundamental breakdown in the principle of least privilege, where the system should enforce strict access controls to prevent unauthorized discovery of monitored assets. This weakness creates a persistent threat vector that remains active as long as vulnerable versions are deployed, potentially allowing attackers to build comprehensive maps of monitored infrastructure over time.
Organizations affected by this vulnerability should immediately implement mitigation strategies including upgrading to patched versions of Checkmk 2.4.0p23, 2.3.0p43, or newer releases that address the permission enforcement issues. Network-level controls such as firewall rules and access control lists should be implemented to restrict access to the deploy_agent endpoint, particularly in environments where external access is not required. Additionally, organizations should consider implementing additional authentication layers or API gateways to further protect the monitoring endpoints from unauthorized access attempts. The vulnerability aligns with CWE-284, which addresses improper access control issues, and could potentially be leveraged as part of broader attack chains that follow ATT&CK technique T1082 for system discovery, making it a critical concern for security operations teams responsible for monitoring infrastructure protection. Regular security assessments and vulnerability scanning should be conducted to ensure that all Checkmk instances are properly patched and that access controls are functioning as intended.