CVE-2026-3103
Received Received - Intake

Logic Error in Checkmk remove_password() Causes Data Loss

Vulnerability report for CVE-2026-3103, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-04

Last updated on: 2026-03-05

Assigner: Checkmk GmbH

Description

A logic error in the remove_password() function in Checkmk GmbH's Checkmk versions <2.4.0p23, <2.3.0p43, and 2.2.0 (EOL) allows a low-privileged user to cause data loss.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-04
Last Modified
2026-03-05
Generated
2026-07-06
AI Q&A
2026-03-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 79 associated CPEs
Vendor Product Version / Range
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.2.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.3.0
checkmk checkmk 2.3.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0
checkmk checkmk 2.4.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3103 is a security flaw in Checkmk\'s password management system affecting certain versions before 2.4.0p23 and 2.3.0p43. The vulnerability is caused by a logic error in the remove_password() function. When a low-privileged monitoring user with the "user" role attempts to delete a password via the REST API or Quick Setup UI, the function only loads and saves the subset of passwords editable by that user. As a result, deleting one password unintentionally causes all passwords outside the user\'s editable scope to be wiped from the password store.'}, {'type': 'paragraph', 'content': 'This means that users with membership in at least one contact group and ownership of passwords can trigger unauthorized mass deletion of passwords belonging to other groups, potentially disrupting services that depend on those credentials. The issue does not affect password deletions performed through the standard Setup > Passwords interface.'}, {'type': 'paragraph', 'content': "The vulnerability has been fixed by modifying remove_password() to load the entire password store, verify the targeted password is within the user's editable set, remove only that specific password, and then write back the complete password store, preventing unintended deletions."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized mass deletion of passwords in the Checkmk password store by low-privileged users. Such deletions can disrupt services that rely on those credentials, potentially causing operational outages or failures.'}, {'type': 'paragraph', 'content': 'Administrators who use the Checkmk password store with monitoring users assigned the "user" role and contact group memberships are particularly impacted. Indicators of compromise include unexpected loss of password entries and audit log entries showing password deletions by non-administrators.'}, {'type': 'paragraph', 'content': 'Before patching, mitigation involves restricting password management permissions exclusively to administrators to prevent exploitation.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected loss of password entries in the Checkmk password store file located at var/check_mk/wato/passwords.mk.'}, {'type': 'paragraph', 'content': 'Additionally, audit logs should be reviewed for password deletion events performed by non-administrator users, especially those with the "user" role.'}, {'type': 'paragraph', 'content': 'Suggested commands include checking the contents and modification timestamps of the password store file, for example:'}, {'type': 'list_item', 'content': 'ls -l var/check_mk/wato/passwords.mk'}, {'type': 'list_item', 'content': 'cat var/check_mk/wato/passwords.mk'}, {'type': 'paragraph', 'content': 'And reviewing audit logs for deletion actions by non-admin users, depending on your logging setup, for example:'}, {'type': 'list_item', 'content': "grep 'password deletion' /var/log/checkmk/audit.log | grep -v 'admin'"}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting password management permissions exclusively to administrators to prevent low-privileged users from invoking the vulnerable remove_password() function.'}, {'type': 'paragraph', 'content': 'This limits the ability of users with the "user" role and contact group memberships from causing unintended mass deletion of passwords.'}, {'type': 'paragraph', 'content': 'Applying the official patches or upgrading to fixed versions of Checkmk when available is recommended for a permanent fix.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart