Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-2859 is a security vulnerability in Checkmk's deploy_agent.py endpoint that allows unauthenticated users to enumerate existing hosts."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the endpoint returns different HTTP responses depending on whether a submitted host name exists or not, even without a valid secret. Specifically, it responds with "This host is not registered" if the host does not exist, and "Invalid host secret" if the host exists but the secret is wrong.'}, {'type': 'paragraph', 'content': 'This difference in responses leaks information about which hosts are registered, enabling attackers to discover host presence without authentication.'}, {'type': 'paragraph', 'content': 'The issue affects Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL). The fix involves modifying the endpoint to return a uniform generic response regardless of host existence or secret validity, preventing host enumeration.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to information disclosure by allowing unauthenticated attackers to determine which hosts are registered in the Checkmk monitoring system.

By enumerating hosts, attackers gain knowledge about the network infrastructure, which could be used to plan further attacks or reconnaissance.

Although the vulnerability does not allow direct system compromise, the information leakage increases the attack surface and may facilitate targeted attacks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending HTTP requests to the deploy_agent endpoint of Checkmk with various host names and observing the HTTP response codes.'}, {'type': 'paragraph', 'content': 'Before the fix, different responses such as "This host is not registered" versus "Invalid host secret" would indicate whether a host exists or not, allowing host enumeration.'}, {'type': 'paragraph', 'content': 'To test this, you can use commands like curl to send requests with different host names and check if the responses differ, which would indicate the presence of the vulnerability.'}, {'type': 'list_item', 'content': "curl -X POST https://<checkmk-server>/deploy_agent -d 'host=knownhost&secret=invalidsecret'"}, {'type': 'list_item', 'content': "curl -X POST https://<checkmk-server>/deploy_agent -d 'host=unknownhost&secret=invalidsecret'"}, {'type': 'paragraph', 'content': 'If the responses differ between known and unknown hosts, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Checkmk to a fixed version where the deploy_agent endpoint returns a uniform response regardless of host existence or secret validity.

Specifically, update to versions 2.5.0b1, 2.6.0b1, or later releases where the vulnerability has been addressed.

Until the upgrade is possible, consider restricting access to the deploy_agent endpoint to trusted networks or users to reduce exposure.

Useful 0 Not Useful 0