Authorization Flaw in Checkmk Affects User Messages Visibility
CVE-2026-7765
6.3MEDIUM
What is CVE-2026-7765?
An authorization flaw exists in the User Messages dashboard widget of Checkmk versions prior to 2.5.0p5. This vulnerability allows attackers to exploit the message-fetching endpoints, which improperly return messages intended for the dashboard creator instead of the viewer. By utilizing a valid public dashboard share token, attackers can make requests that reveal personal messages of the dashboard issuer, even if the User Messages widget is not present in the dashboard. This can lead to unauthorized access and exposure of sensitive information.
Affected Version(s)
Checkmk 2.5.0 < 2.5.0p5
