Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-3103 is a security flaw in Checkmk\'s password management system affecting certain versions before 2.4.0p23 and 2.3.0p43. The vulnerability is caused by a logic error in the remove_password() function. When a low-privileged monitoring user with the "user" role attempts to delete a password via the REST API or Quick Setup UI, the function only loads and saves the subset of passwords editable by that user. As a result, deleting one password unintentionally causes all passwords outside the user\'s editable scope to be wiped from the password store.'}, {'type': 'paragraph', 'content': 'This means that users with membership in at least one contact group and ownership of passwords can trigger unauthorized mass deletion of passwords belonging to other groups, potentially disrupting services that depend on those credentials. The issue does not affect password deletions performed through the standard Setup > Passwords interface.'}, {'type': 'paragraph', 'content': "The vulnerability has been fixed by modifying remove_password() to load the entire password store, verify the targeted password is within the user's editable set, remove only that specific password, and then write back the complete password store, preventing unintended deletions."}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized mass deletion of passwords in the Checkmk password store by low-privileged users. Such deletions can disrupt services that rely on those credentials, potentially causing operational outages or failures.'}, {'type': 'paragraph', 'content': 'Administrators who use the Checkmk password store with monitoring users assigned the "user" role and contact group memberships are particularly impacted. Indicators of compromise include unexpected loss of password entries and audit log entries showing password deletions by non-administrators.'}, {'type': 'paragraph', 'content': 'Before patching, mitigation involves restricting password management permissions exclusively to administrators to prevent exploitation.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unexpected loss of password entries in the Checkmk password store file located at var/check_mk/wato/passwords.mk.'}, {'type': 'paragraph', 'content': 'Additionally, audit logs should be reviewed for password deletion events performed by non-administrator users, especially those with the "user" role.'}, {'type': 'paragraph', 'content': 'Suggested commands include checking the contents and modification timestamps of the password store file, for example:'}, {'type': 'list_item', 'content': 'ls -l var/check_mk/wato/passwords.mk'}, {'type': 'list_item', 'content': 'cat var/check_mk/wato/passwords.mk'}, {'type': 'paragraph', 'content': 'And reviewing audit logs for deletion actions by non-admin users, depending on your logging setup, for example:'}, {'type': 'list_item', 'content': "grep 'password deletion' /var/log/checkmk/audit.log | grep -v 'admin'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting password management permissions exclusively to administrators to prevent low-privileged users from invoking the vulnerable remove_password() function.'}, {'type': 'paragraph', 'content': 'This limits the ability of users with the "user" role and contact group memberships from causing unintended mass deletion of passwords.'}, {'type': 'paragraph', 'content': 'Applying the official patches or upgrading to fixed versions of Checkmk when available is recommended for a permanent fix.'}] [1]

Useful 0 Not Useful 0