Authorization Flaw in Checkmk Affects User Messages Visibility
CVE-2026-7765

6.3MEDIUM

Key Information:

Status
Vendor
CVE Published:
8 June 2026

What is CVE-2026-7765?

An authorization flaw exists in the User Messages dashboard widget of Checkmk versions prior to 2.5.0p5. This vulnerability allows attackers to exploit the message-fetching endpoints, which improperly return messages intended for the dashboard creator instead of the viewer. By utilizing a valid public dashboard share token, attackers can make requests that reveal personal messages of the dashboard issuer, even if the User Messages widget is not present in the dashboard. This can lead to unauthorized access and exposure of sensitive information.

Affected Version(s)

Checkmk 2.5.0 < 2.5.0p5

References

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.