MEDIUM 5.3

CVE-2026-7765: Checkmk Authorization Bypass Exposes User Messages via Dashboard Tokens

Checkmk contains a flaw in how it controls access to user messages through its dashboard feature. When someone shares a dashboard using a public token, the system incorrectly returns messages belonging to the dashboard creator instead of the person viewing it. An attacker who obtains a valid share token can bypass normal access controls and read the creator's private messages directly from the underlying API endpoints—even if no User Messages widget is visible on the dashboard itself. This is an authorization bypass that leaks sensitive information.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-863
Affected products
8 configuration(s)
Published / Modified
2026-06-08 / 2026-06-17

NVD description (verbatim)

Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-7765 is an improper authorization vulnerability (CWE-863) in Checkmk versions prior to 2.5.0p5 affecting the User Messages dashboard widget and its associated message-fetching endpoints. The vulnerability stems from inadequate context switching when processing requests via shared dashboard tokens. Instead of returning messages for the authenticated viewer, the endpoints return messages for the dashboard creator. An unauthenticated attacker with knowledge of a publicly shared dashboard token can directly query the message endpoints and retrieve the issuer's personal messages, circumventing the intended access control model. The flaw is particularly concerning because it allows exploitation without requiring the presence of a User Messages widget on the dashboard itself.

Business impact

This vulnerability enables unauthorized access to sensitive organizational communications. Individuals who share dashboards—whether for collaboration or monitoring purposes—may inadvertently expose their personal messages to anyone who obtains the share token. In regulated environments, this could lead to disclosure of confidential information, internal alerts, or audit-related communications. The impact is heightened if dashboards are shared externally or if tokens are leaked through logs, repositories, or social engineering. Organizations relying on Checkmk for infrastructure monitoring should assess whether shared dashboards contain sensitive data and who has access to those tokens.

Affected systems

All versions of Checkmk prior to 2.5.0p5 are affected. The vulnerability impacts any Checkmk deployment where dashboards are shared via public tokens and the User Messages feature is in use.

Exploitability

Exploitability is straightforward. The vulnerability requires only a valid public dashboard share token (CVSS vector: AV:N/AC:L/PR:N/UI:N) and access to the message-fetching endpoints. No special privileges, authentication, or user interaction are needed. An attacker can discover share tokens through various means—leaked in chat systems, misconfigured git repositories, exposed configuration files, or social engineering. Once obtained, the attacker can immediately read the dashboard creator's messages. The attack is passive (no data modification) and does not trigger alarms on the viewer side.

Remediation

Upgrade Checkmk to version 2.5.0p5 or later. Verify that all shared dashboards are necessary and rotate or revoke share tokens for dashboards containing sensitive collaborations. Review audit logs to determine who has accessed shared dashboards and what information may have been exposed. Consider restricting dashboard sharing to internal networks or authenticated users only if the business permits.

Patch guidance

Apply Checkmk patch version 2.5.0p5 or any subsequent release. Verify the patch through Checkmk's official advisories and test in a staging environment before production deployment to ensure compatibility with existing configurations and monitoring workflows. After patching, regenerate share tokens for sensitive dashboards to invalidate any tokens that may have been compromised during the vulnerability window.

Detection guidance

Monitor API logs for requests to message-fetching endpoints originating from public dashboard share tokens, especially those from unexpected IP addresses or at unusual times. Implement alerting for repeated or bulk requests to these endpoints from the same token. Review audit logs for access patterns to the User Messages feature and cross-reference them with known share recipients. Analyze network traffic for suspicious use of shared dashboard tokens in ways inconsistent with legitimate dashboard views.

Why prioritize this

Although assigned a MEDIUM CVSS score (5.3), this vulnerability should be prioritized for organizations that share Checkmk dashboards externally or with semi-trusted users. The confidentiality impact is real—personal messages from infrastructure teams often contain sensitive details about incidents, security events, or system issues. The ease of exploitation (no authentication needed, simple API access) combined with the likelihood that share tokens may be inadvertently exposed makes this a practical threat in many environments. Patching is straightforward and low-risk, making it a good early-stage remediation candidate in any vulnerability management program.

Risk score, explained

The CVSS 3.1 score of 5.3 reflects a network-exploitable vulnerability with low attack complexity and no privilege or user interaction requirements. However, impact is limited to confidentiality of user messages; the vulnerability does not enable data modification, denial of service, or elevation of privilege. The score appropriately captures the balance between ease of exploitation and bounded scope of impact. Contextual risk escalates in environments where dashboards are widely shared, tokens are long-lived, or messages contain security-sensitive communications.

Frequently asked questions

Can an attacker modify or delete messages using this vulnerability?

No. The vulnerability is strictly a confidentiality issue. Attackers can read the dashboard creator's messages but cannot modify, delete, or perform any other action on them. CWE-863 (Improper Authorization) maps to information disclosure in this case.

What if our Checkmk dashboards are not shared publicly?

If dashboards are only accessible to authenticated users within your network, the risk is significantly lower because an attacker would need to obtain a share token through other means (phishing, credential compromise, misconfiguration). However, you should still patch to close the authorization bypass if any dashboards are or will be shared in the future.

Do we need to rotate all our dashboard share tokens immediately?

It depends on your exposure. If a dashboard was shared externally or with untrusted parties during the vulnerability window, regenerate its token immediately. For internal-only dashboards with a limited audience, prioritize patching first, then audit which tokens were active and with whom they were shared.

Will patching break our existing shared dashboard links?

Patching the vulnerability itself should not break existing links. However, it is good practice to regenerate share tokens after patching to invalidate any tokens that may have been compromised. New tokens can be issued without affecting the dashboard's functionality.

This analysis is based on published CVE data and vendor advisories current as of the publication date. Exploit information has not been independently verified. Organizations should consult Checkmk's official security advisories and release notes before deploying patches. The presence or absence of a vulnerability on the CISA KEV catalog does not diminish its potential impact in specific environments; threat modeling and business context should inform prioritization decisions. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).