CVE-2026-31836
Received Received - Intake
Mass Assignment Vulnerability in Checkmate Allows Privilege Escalation

Publication date: 2026-03-20

Last updated on: 2026-03-30

Assigner: GitHub, Inc.

Description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-30
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-31836
EUVD
EUVD-2026-13744
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bluewavelabs checkmate to 3.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31836 is a critical mass assignment vulnerability in the Checkmate tool, affecting versions up to 3.5.1. It occurs in the user profile update endpoint where the application fails to properly validate and sanitize user input. Although a schema validation is performed to strip unauthorized fields like the user role, the sanitized data is ignored and the raw input is used instead. This allows any authenticated user to modify their role to superadmin, bypassing all role-based access controls.

As a result, an attacker with a low-privilege account can escalate their privileges to full administrative access by sending a crafted PATCH request including the role field set to superadmin.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to gain complete administrative control over the Checkmate application.

  • View all users in the system
  • Modify critical configurations
  • Access sensitive system data

Since the attacker only needs a valid low-privilege authenticated account and no user interaction, the risk of exploitation is high.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious PATCH requests to the endpoint `/api/v1/auth/user` that include the `role` field in the request body, which should normally be stripped out.'}, {'type': 'paragraph', 'content': 'A practical detection method is to inspect logs or capture network traffic for authenticated users sending PATCH requests with a JSON body containing `"role":"superadmin"` or any unauthorized role changes.'}, {'type': 'paragraph', 'content': 'Example command using curl to test if the vulnerability exists (requires valid low-privilege user credentials):'}, {'type': 'list_item', 'content': 'curl -X PATCH https://your-checkmate-server/api/v1/auth/user -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d \'{"role":"superadmin"}\''}, {'type': 'paragraph', 'content': 'If the response indicates the role was updated or if the user gains superadmin privileges, the system is vulnerable.'}] [1]

Mitigation Strategies

Since no patches are currently available, immediate mitigation steps include:

  • Restrict access to the Checkmate application to trusted users only, minimizing the number of authenticated users.
  • Monitor and log all PATCH requests to `/api/v1/auth/user` endpoint, especially those attempting to modify the `role` field.
  • Implement network-level controls such as firewall rules or API gateways to block or alert on suspicious requests containing the `role` field.
  • Consider temporarily disabling user profile updates if feasible until a patch or fix is released.

Long term, update the application code to properly use the sanitized input from the validation schema and reject any unauthorized fields before updating the database.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31836. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart