the new stable release 2.3.0p38 of Checkmk is ready for download.
This stable release ships with 1 changes affecting all editions of Checkmk,
2 changes for the Enterprise editions, 0 Cloud Edition specific and
0 Managed Services Edition specific changes.
# Fix secrets added to URL query params
key | value
---------- | ---
date | 2025-08-07T13:29:59+00:00
version | 2.4.0p13
class | security
edition | cre
component | wato
level | 1
compatible | yes
Previously, under specific conditions (toggling page navigation after receiving validation errors when submitting a form), passwords and other secrets entered in the form could be exposed in URL query parameters.
Importantly, this did not affect any stored secrets; only the data just entered by the user was at risk.
This could result in sensitive data being leaked, for example, to server logs.
Such sensitive information is now excluded from the URL query parameters.
This issue was reported to us by an external party.
*Affected Versions*:
* 2.4.0
* 2.3.0
* 2.2.0
* 2.1.0 (EOL)
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 1.0 Low (`CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N`) and assigned `CVE-2025-32916`.
Werk 17984
# Path-Traversal in report scheduler
key | value
---------- | ---
date | 2025-08-13T06:11:20+00:00
version | 2.4.0p13
class | security
edition | cee
component | reporting
level | 1
compatible | yes
Previous to this Werk it was possible that an authenticated user could perform Path-traversal
attacks against the site's local file directory by use of the report scheduler. This issue was made
possible due to insufficient escaping of macros which could allow an attacker to make use of a
generated `.mk` file to overide existing `.mk` files.
Performing such an action could allow an attacker to break a site's configurations however as an
attacker cannot break out of the predefined fields within the generated `.mk` file, this can only
be used to DoS / break an affected site.
We thank Lisa Gnedt (SBA Research) for reporting this issue.
*Affected Versions*:
* 2.4.0
* 2.3.0
* 2.2.0
* 2.1.0 (EOL)
*Mitigations*:
If you cannot update, it is advised that both the following roles `Manage Own Scheduled Reports`
which by default is set to `yes` and the `Manage All Scheduled Reports` both be set to `no` for
non-admin users within the site.
Furthermore, if you believe you may have been affected by this vulnerability that you conduct
a manual review of all scheduled reports within your site and remove any schedules that contain
titles with directory information.
*Indicators of Compromise*:
Checkmk will always generate both an `.mk` and `.pdf` file pair for each scheduled report.
Therefore, any affected path within the site's file system can be identified by existence `.pdf` /
`.mk` report file pairs.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 7.1 High
(`CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N`) and assigned `CVE-2025-39664`.
Werk 18207
# Fix security vulnerability in win_license.bat plugin
key | value
---------- | ---
date | 2025-08-21T14:15:21+00:00
version | 2.4.0p13
class | security
edition | cee
component | agents
level | 1
compatible | yes
On Windows hosts to force the English output from the `win_license.bat` plugin,
special copying logic is used (this way, the default `slmgr.vbs` script cannot find the language files).
As the script is copied to a global, unprotected location, every user has access to edit this script.
This can be exploited for malicious intent.
To eliminate this vulnerability, the `slmgr.vbs` script is copied to the protected location
in `%SystemDrive%\ProgramData\checkmk\agent\tmp` and is deleted afterwards.
**Note:** Only users who use the Windows License plug-in are affected by this issue.
We thank Lisa Gnedt (SBA Research) for reporting this issue.
*Affected Versions*:
* 2.4.0
* 2.3.0
* 2.2.0
* 2.1.0 (EOL)
*Mitigations*:
If you cannot update, disable the Windows License plug-in.
*Vulnerability Management*:
We have rated the issue with a CVSS Score of 8.8 High (`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H`) and assigned `CVE-2025-32919`.
