Sensitive Information Disclosure in Nagios XI by Nagios
CVE-2024-13998

6MEDIUM

Key Information:

Vendor

NagiOS

Status
Xi
Vendor
CVE Published:
3 November 2025

What is CVE-2024-13998?

Nagios XI versions before 2024R1.1.3 may expose sensitive user account details, including API keys and hashed passwords, to authenticated users lacking appropriate access rights. This vulnerability poses a risk as it could lead to account compromises, unauthorized API privilege use, and attempts to crack hashed passwords offline. A related issue was previously flagged in CVE-2024-13995, which attempted to address an underlying problem but may not have been fully resolved in earlier versions.

Affected Version(s)

XI 0

References

https://www.nagios.com/products/security/#nagios-xi
vendor-advisorypatch
https://www.nagios.com/changelog/nagios-xi/
release-notespatch
https://www.vulncheck.com/advisories/nagios-xi-api-keys-a...
third-party-advisory

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2024-13998 : Sensitive Information Disclosure in Nagios XI by Nagios