Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Checkmk GmbH | Checkmk | unaffected |
|
No data.
No data.
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://checkmk.com/werk/18994 |
|
History
Fri, 13 Mar 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure. | |
| Title | Unauthenticated Host Enumeration via Observable Response Discrepancy on Deploy Agent Endpoint | |
| First Time appeared |
Checkmk
Checkmk checkmk |
|
| Weaknesses | CWE-204 | |
| CPEs | cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:* cpe:2.3:a:checkmk:checkmk:2.2.0:*:*:*:*:*:*:* |
|
| Vendors & Products |
Checkmk
Checkmk checkmk |
|
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: Checkmk
Published:
Updated: 2026-03-13T09:40:43.743Z
Reserved: 2026-02-20T11:17:22.562Z
Link: CVE-2026-2859
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses