CVE-2026-30829
Received Received - Intake
Unauthenticated Information Disclosure in Checkmate Status Page API

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-07
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30829
EUVD
EUVD-2026-10117
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bluewavelabs checkmate to 3.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to access the vulnerable API endpoint without authentication and checking if unpublished status page details are returned.

A suggested command to test for this vulnerability is to use curl to make a direct API request to the endpoint, for example:

  • curl http://localhost:52347/api/v1/status-page/<status-page-address>?type=uptime

If the response returns full details of unpublished or private status pages without requiring authentication, the system is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Checkmate software to version 3.4.0 or later, where this vulnerability has been patched.

This patch enforces authentication and verifies whether a status page is published before returning its details, preventing unauthorized access.


Can you explain this vulnerability to me?

CVE-2026-30829 is an unauthenticated information disclosure vulnerability in the Checkmate tool, specifically affecting versions prior to 3.4.0.

The vulnerability exists in the GET /api/v1/status-page/:url endpoint, which does not enforce authentication or verify whether a status page is published before returning its details.

As a result, any unauthenticated user can access full details of unpublished (private) status pages and their associated internal data by making direct API requests.


How can this vulnerability impact me? :

This vulnerability can lead to unintended public exposure of private status pages and sensitive internal data.

Since no authentication is required to access these unpublished status pages, attackers or unauthorized users can retrieve potentially sensitive information about server hardware, uptime, response times, and incidents.

The impact is classified as a moderate severity information disclosure with a CVSS v3.1 base score of 5.3.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart