CVE-2026-33457
Livestatus Injection in Checkmk Prediction Graph Allows Command Injection
Publication date: 2026-04-10
Last updated on: 2026-04-20
Assigner: Checkmk GmbH
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.5.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.5.0 |
| checkmk | checkmk | 2.3.0 |
| checkmk | checkmk | 2.4.0 |
| checkmk | checkmk | 2.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-140 | The product does not neutralize or incorrectly neutralizes delimiters. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow an authenticated user to inject arbitrary Livestatus commands, potentially leading to unauthorized access or manipulation of monitoring data within Checkmk. This could compromise the integrity and reliability of the monitoring system, possibly affecting system monitoring and alerting functions.
Can you explain this vulnerability to me?
CVE-2026-33457 is a security vulnerability in Checkmk versions prior to 2.5.0b4, 2.4.0p26, and 2.3.0p47. It allows an authenticated user to perform a Livestatus injection on the prediction graph page by injecting arbitrary Livestatus commands through a crafted service name parameter. This happens because the service description value is not properly sanitized.
The vulnerability affects multiple editions of Checkmk, including Community, Pro, Ultimate, and Ultimate MT. It is considered a trivial security issue and has been addressed with a security patch that requires no manual intervention.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the security patch provided by Checkmk as soon as the fixed versions are officially released.
The fix is fully compatible and requires no manual intervention upon deployment.
Ensure that you upgrade to one of the fixed versions of Checkmk, specifically versions 2.3.0p47, 2.4.0p26, 2.5.0b4, 2.6.0b1 or later once they become available.