CVE-2026-8078: Stored XSS in Checkmk Global Settings Audit Log
Checkmk versions before 2.5.0p5, 2.4.0p31, 2.3.0p48, and all 2.2.0 releases contain a stored cross-site scripting (XSS) vulnerability in the global settings change log. An administrator with permission to modify global settings can inject malicious HTML or JavaScript into changelog messages. When other users view the Activate Changes page or Audit log, this malicious code executes in their browsers, potentially compromising their sessions or stealing information.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.8 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 157 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-06-17
NVD description (verbatim)
Stored cross-site scripting in the global settings change log in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an administrator who can change global settings to store malicious HTML or JavaScript in changelog messages that executes in other users' browsers when they view the Activate Changes page or Audit log.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-8078 is a stored XSS vulnerability (CWE-79) affecting Checkmk's global settings audit trail. The vulnerability exists because changelog entries generated when administrators modify global settings are not properly sanitized before being rendered on the Activate Changes and Audit log pages. An attacker with administrator privileges can craft a settings change that embeds JavaScript or HTML payloads into the changelog message field. These payloads persist in the application's database and execute client-side whenever any authenticated user accesses either affected page. The CVSS 3.1 score of 4.8 reflects the requirement for high-privilege access (PR:H) and user interaction (UI:R) to trigger the payload, though the impact crosses security domain boundaries (S:C).
Business impact
This vulnerability creates a pathway for insider threats and account compromise within Checkmk deployments. A compromised or malicious administrator can harvest session tokens, credentials, or sensitive monitoring data from other users without leaving obvious evidence. For organizations relying on Checkmk for critical infrastructure monitoring, this could result in undetected lateral movement or persistence mechanisms. The audit and change-log pages are often reviewed during compliance activities, making them high-visibility targets for an attacker seeking to compromise multiple accounts simultaneously. Remediation is important where internal trust has been breached or where shared administrator accounts exist.
Affected systems
Checkmk versions 2.2.0 (all releases), 2.3.0 before patch 48, 2.4.0 before patch 31, and 2.5.0 before patch 5 are vulnerable. Organizations running these versions in production should prioritize inventory and patching. Verify your current version by checking the Checkmk web interface settings or documentation.
Exploitability
Exploitation requires administrator-level access to Checkmk and the ability to modify global settings. An attacker cannot exploit this remotely without already possessing high-privilege credentials. However, once injected, the malicious payload executes automatically for any user who views the affected log pages—no additional attacker interaction is needed beyond the initial injection. This makes the vulnerability attractive to insiders, compromised accounts, or adversaries who have gained administrative access through other means. No public exploit code or active in-the-wild exploitation has been reported at the time of publication.
Remediation
Patch Checkmk to 2.5.0p5 or later, 2.4.0p31 or later, 2.3.0p48 or later, or upgrade from 2.2.0 (which receives no further patches) to a supported version. Organizations unable to patch immediately should restrict access to global settings to a minimal set of trusted administrators and monitor access logs for suspicious configuration changes. Consider disabling or limiting access to the Activate Changes and Audit log pages for non-administrator users if feasible. Input validation and sanitization improvements in patched versions prevent malicious scripts from being stored.
Patch guidance
Apply the latest available patch for your Checkmk branch: verify against the vendor advisory for exact version numbers and download links. Test patching in a non-production environment first, as global settings changes may affect monitoring behavior. Review your change management process to ensure that global settings modifications are logged and reviewed by authorized personnel only. After patching, clear your browser cache to ensure old cached versions of the audit log pages are not served.
Detection guidance
Look for administrator accounts making unusual or unauthorized global settings changes, particularly those with HTML or script-like syntax in the change description. Monitor access logs for repeated views of the Activate Changes or Audit log pages by users who do not typically review those sections. Check the Checkmk audit database directly for any changelog entries containing suspicious strings such as '<script>', 'javascript:', 'onerror=', or other XSS payloads. If you suspect an injection, export the audit log to a secure location for forensic review before applying the patch, as patching may overwrite evidence.
Why prioritize this
Although the CVSS score is moderate (4.8), this vulnerability warrants prioritized patching because it enables account compromise and lateral movement for insiders or compromised administrators. Checkmk is often deployed in security-sensitive environments managing critical infrastructure alerts. The stored nature of the XSS means the malicious payload persists and can affect multiple users over an extended period without re-injection. The requirement for administrator access limits blast radius but does not eliminate the risk, especially in organizations with shared or insufficiently audited admin accounts.
Risk score, explained
The CVSS 3.1 score of 4.8 (MEDIUM) reflects: (1) network-accessible attack surface (AV:N); (2) low attack complexity (AC:L); (3) high privilege requirement (PR:H), reducing threat actors to insiders or those who have compromised admin accounts; (4) requirement for user interaction (UI:R), meaning the victim must actively view the affected page; (5) cross-boundary scope change (S:C), as the victim's browser context is in a different trust zone from the attacker's injection point; and (6) limited impact—confidentiality and integrity are affected (C:L, I:L) but availability is not (A:N). The score does not account for persistence or post-compromise capability, which elevates practical risk for defenders.
Frequently asked questions
Do we need to patch if we restrict global settings access?
Yes. Restricting access reduces the threat surface but does not eliminate the vulnerability. An insider, compromised admin account, or attacker who gains admin privileges through another vector can still inject payloads. Patching is the definitive fix.
Can this vulnerability be exploited without administrator access?
No. The vulnerability requires the ability to modify global settings, which is restricted to administrators in Checkmk's default role-based access control. However, if an attacker compromises an admin account or an insider abuses their privileges, exploitation becomes trivial.
Will patching erase malicious changelog entries already in the system?
Patching prevents new injections but does not automatically clean up existing malicious entries from the audit database. After patching, manually review and remove any suspicious changelog records, or re-initialize the audit log if feasible in your environment.
How does this affect our Checkmk monitoring reliability?
The vulnerability does not degrade Checkmk's core monitoring or alerting functions. It affects only the display of the Activate Changes and Audit log pages in the web UI. However, a compromised administrator could use the vulnerability as a stepping stone to compromise other user accounts, which could indirectly impact monitoring integrity if those accounts are used to modify monitored systems or silencing rules.
This analysis is provided for informational purposes only and does not constitute legal, security, or professional advice. Always verify patch version numbers and availability against official Checkmk vendor advisories before deploying updates. The vulnerability status, patch availability, and remediation guidance may change; consult Checkmk's official security announcements for the most current information. No liability is assumed for errors, omissions, or actions taken based on this analysis. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-7186MEDIUMStored XSS in Checkmk Dashboard Widget – Patch Now
- CVE-2026-8833MEDIUMCheckmk URL Validation Bypass & XSS Vulnerability
- CVE-2026-9549MEDIUMStored XSS in Checkmk Service Discovery – Patch Guidance
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk