CVE-2026-30829
Received Received - Intake
Unauthenticated Information Disclosure in Checkmate Status Page API

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30829
EUVD
EUVD-2026-10117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bluewavelabs checkmate to 3.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoint without authentication and checking if unpublished status page details are returned.

A suggested command to test for this vulnerability is to use curl to make a direct API request to the endpoint, for example:

  • curl http://localhost:52347/api/v1/status-page/<status-page-address>?type=uptime

If the response returns full details of unpublished or private status pages without requiring authentication, the system is vulnerable.

Compliance Impact

I don't know

Mitigation Strategies

The immediate mitigation step is to upgrade the Checkmate software to version 3.4.0 or later, where this vulnerability has been patched.

This patch enforces authentication and verifies whether a status page is published before returning its details, preventing unauthorized access.

Executive Summary

CVE-2026-30829 is an unauthenticated information disclosure vulnerability in the Checkmate tool, specifically affecting versions prior to 3.4.0.

The vulnerability exists in the GET /api/v1/status-page/:url endpoint, which does not enforce authentication or verify whether a status page is published before returning its details.

As a result, any unauthenticated user can access full details of unpublished (private) status pages and their associated internal data by making direct API requests.

Impact Analysis

This vulnerability can lead to unintended public exposure of private status pages and sensitive internal data.

Since no authentication is required to access these unpublished status pages, attackers or unauthorized users can retrieve potentially sensitive information about server hardware, uptime, response times, and incidents.

The impact is classified as a moderate severity information disclosure with a CVSS v3.1 base score of 5.3.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart