Security Flaw in Icinga PowerShell Framework Exposes Private Keys
CVE-2026-24414

6.8MEDIUM

Key Information:

Vendor

Icinga

Status
Icinga-powershell-framework
Vendor
CVE Published:
29 January 2026

What is CVE-2026-24414?

The Icinga PowerShell Framework, used for monitoring Windows environments, has a significant vulnerability in versions before 1.13.4, 1.12.4, and 1.11.2. The 'certificate' directory's permissions allow any user to read sensitive data, notably the private key of the Icinga certificate for the host. This exposure can lead to unauthorized access and compromise system security. Users must update to the fixed versions to resolve this issue and are advised to restrict access manually by updating the ACL for the relevant directories. This incident has implications beyond Icinga for Windows, as it also affects Icinga 2 with related vulnerabilities.

Affected Version(s)

icinga-powershell-framework < 1.11.2 < 1.11.2

icinga-powershell-framework >= 1.12.0, < 1.12.4 < 1.12.0, 1.12.4

icinga-powershell-framework >= 1.13.0, < 1.13.4 < 1.13.0, 1.13.4

References

https://github.com/Icinga/icinga-powershell-framework/sec...
x_refsource_CONFIRM
https://github.com/Icinga/icinga2/security/advisories/GHS...
x_refsource_MISC
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-...
x_refsource_MISC

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.