Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-24097 is a security vulnerability in Checkmk's agent-receiver component, specifically in the agent-receiver/register_existing endpoint."}, {'type': 'paragraph', 'content': 'Before the fix, any authenticated user could enumerate existing hosts by analyzing different HTTP response codes returned by this endpoint.'}, {'type': 'paragraph', 'content': "The vulnerability occurred because the endpoint checked if a host existed before verifying the user's permissions, allowing users to distinguish between a 404 Not Found response (host does not exist) and a 403 Forbidden response (host exists but access is denied)."}, {'type': 'paragraph', 'content': 'This behavior enabled unauthorized users to gather information about existing hosts, leading to information disclosure.'}, {'type': 'paragraph', 'content': 'The fix changes the endpoint to return a 403 Forbidden response both when the host does not exist and when the user lacks sufficient privileges, preventing host enumeration.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows authenticated users to enumerate existing hosts in the Checkmk system by observing different HTTP response codes.

Such host enumeration can lead to information disclosure, revealing details about the network or infrastructure that should remain confidential.

Attackers or unauthorized users could use this information to plan further attacks or gain insights into the environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to enumerate hosts via the `agent-receiver/register_existing` endpoint while authenticated. By observing the HTTP response codes, an attacker can distinguish whether a host exists or not based on differing responses (404 Not Found vs 403 Forbidden).'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can perform authenticated HTTP requests to the `agent-receiver/register_existing` endpoint with different hostnames and observe the response codes. If the endpoint returns 404 for non-existent hosts and 403 for existing hosts without proper permission checks, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example command using curl (replace <host> and <auth_token> accordingly):'}, {'type': 'list_item', 'content': 'curl -i -H "Authorization: Bearer <auth_token>" "https://<checkmk-server>/agent-receiver/register_existing?host=<hostname>"'}, {'type': 'paragraph', 'content': 'By testing multiple hostnames and comparing the HTTP status codes, you can verify if host enumeration is possible.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to apply the security update provided by Checkmk that fixes the permission enforcement in the `agent-receiver/register_existing` endpoint.

The fix changes the endpoint to return a 403 Forbidden response both when the host does not exist and when the user lacks sufficient privileges, preventing host enumeration.

No manual interaction is required to apply the fix other than updating to the patched versions: 2.4.0p23 or later, 2.3.0p43 or later, or upgrading from the end-of-life 2.2.0.

Until the update is applied, consider restricting authenticated user access to the affected endpoint or monitoring for suspicious enumeration activity.

Useful 0 Not Useful 0