CVE-2026-7765
Analyzed Analyzed - Analysis Complete

Incorrect Authorization in Checkmk User Messages Widget

Publication date: 2026-06-08

Last updated on: 2026-06-09

Assigner: Checkmk GmbH

Description
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-08
Last Modified
2026-06-09
Generated
2026-06-28
AI Q&A
2026-06-08
EPSS Evaluated
2026-06-27
NVD
CVE-2026-7765
EUVD
EUVD-2026-35051

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0
checkmk checkmk 2.5.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-7765 is a security vulnerability in Checkmk versions earlier than 2.5.0p5 involving the User Messages dashboard widget on shared dashboards.

The issue arises because the message-fetching endpoints return the dashboard creator's personal messages instead of the viewer's messages when accessed with a valid public dashboard share token.

This means an attacker who knows a valid share token can read the issuer's personal messages by sending requests to the underlying endpoint, even if the User Messages widget is not present on the dashboard.

The vulnerability was fixed by removing the vulnerable endpoint and replacing the widget with a placeholder on shared dashboards.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of personal messages belonging to the dashboard creator.

An attacker with access to a valid public dashboard share token can read sensitive personal messages without needing further privileges or user interaction.

This could result in privacy breaches, exposure of confidential information, and potential misuse of the leaked data.

Detection Guidance

This vulnerability can be detected by identifying requests made to the message-fetching endpoint associated with the User Messages widget on shared dashboards, specifically the endpoint get_user_messages_token_auth.py. Monitoring network traffic for requests containing valid public dashboard share tokens accessing this endpoint may indicate exploitation attempts.

Since the vulnerability involves unauthorized access via a valid share token, commands or tools that inspect HTTP requests for such tokens or unusual access patterns to the message-fetching endpoint could be used.

  • Use network monitoring tools like tcpdump or Wireshark to filter HTTP requests to the endpoint get_user_messages_token_auth.py.
  • Example tcpdump command: tcpdump -i any -A 'tcp port 80 or tcp port 443' | grep 'get_user_messages_token_auth.py'
  • Check web server logs for requests containing share tokens accessing the message-fetching endpoint.
Mitigation Strategies

Immediate mitigation steps include revoking all shared-dashboard tokens to prevent unauthorized access via valid tokens.

Applying the official fix by upgrading Checkmk to version 2.5.0p5 or later is essential, as the fix removes the vulnerable endpoint and replaces the User Messages widget on shared dashboards with a placeholder.

Compliance Impact

The vulnerability allows unauthorized access to personal user messages via shared dashboard tokens, potentially exposing sensitive personal information.

Such unauthorized disclosure of personal messages could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on personal and sensitive data access.

Organizations using affected Checkmk versions should consider this risk and revoke shared-dashboard tokens until the vulnerability is fixed to maintain compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7765. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart