CVE-2026-24413
Unknown Unknown - Not Provided
Improper Permissions in Icinga 2 MSI Expose Private Keys

Publication date: 2026-01-29

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-29
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-01-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24413
EUVD
EUVD-2026-4959
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
icinga icinga From 2.14.0 (inc) to 2.14.8 (exc)
icinga icinga From 2.15.0 (inc) to 2.15.2 (exc)
icinga icinga From 2.3.0 (inc) to 2.13.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Icinga 2 affects Windows installations where the MSI installer did not set proper permissions on the %ProgramData%\icinga2\var folder. As a result, all local users on the system could read the contents of this folder, which includes sensitive data such as the user's private key and synchronized configuration files. This exposure occurs in versions starting from 2.3.0 up to but not including 2.13.14, 2.14.8, and 2.15.2, which contain fixes.

Impact Analysis

The vulnerability allows any local user on a Windows system running affected versions of Icinga 2 to read sensitive files, including private keys and configuration data. This could lead to unauthorized access, impersonation of the Icinga service user, or manipulation of monitoring configurations, potentially compromising the integrity and security of the monitoring system.

Detection Guidance

You can detect this vulnerability by checking the permissions of the folder C:\ProgramData\icinga2\var on your Windows system. If the permissions allow all local users to read the contents, including the private key and configuration files, your system is vulnerable. To check permissions, you can use the following PowerShell command: Get-Acl -Path 'C:\ProgramData\icinga2\var' | Format-List. Similarly, check the folder C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate for overly permissive ACLs.

Mitigation Strategies

Immediate mitigation steps include upgrading Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2, which automatically fix the ACLs for the Icinga 2 agent. Alternatively, you can manually update the Access Control Lists (ACLs) for the folder C:\ProgramData\icinga2\var and the folder C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate, including all subfolders and items, to restrict access to only the Icinga service user and administrators.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart