Upcoming Security Release 2.4.0p25 and 2.3.0p46

Hannes · March 30, 2026, 10:00am

Dear community,

This is an announcement for an upcoming security release of Checkmk.

On Tuesday, April 7th, we will publish a patch release for all currently supported versions of Checkmk: 2.3.0 (2.3.0p46) and 2.4.0 (2.4.0p25). A patch for the 2.5.0 beta will follow the next day.

The patch contains fixes for three vulnerabilities: one with critical severity (CVE-2025-39666), one with high severity (CVE-2026-3466), and one with medium severity (CVE-2026-24096).

All editions and all configurations of Checkmk are affected.

To prepare for the patch, we recommend that all users update their environment to current patch releases (2.3.0p45 / 2.4.0p24) well in advance to reduce the risk of other, unrelated changes breaking any functionality during a security patch.

If you have any questions, please feel free to reach out to security@checkmk.com.

Your Checkmk Team

briand · March 31, 2026, 2:51pm

Hello. When is the anticipated release for 2.3.0p46? I have a patching window for a client on 2.3 tomorrow to patch OS vulnerabilities and they asked if we could roll this in to the maintenance window.
Thanks!

martin.hirschvogel · April 1, 2026, 6:43pm

@briand See in the post above. I edited the post and made it bold

briand · April 1, 2026, 7:06pm

Thank you. Clearly, I missed it before.

shodges · April 2, 2026, 2:27pm

Do you have a rough time estimate on when you’ll be releasing the update? I need to submit a change request and have to select a time range.

martin.hirschvogel · April 2, 2026, 3:00pm

I expect between 09:00 - 12:00 AM CEST.

freindl · April 7, 2026, 9:33am

Any new Update regarding this topic?

Hannes · April 7, 2026, 9:57am

The patches for 2.4.0 and 2.3.0 have been released:

Cleclercq · April 7, 2026, 10:21am

Is This werk in P25 ? –> Werk #18989

Or in P26 see the decription Werks

Hannes · April 7, 2026, 11:39am

Yes, the werk is included in 2.4.0p25. The werks listed in the release announcement posts are correct.

The werks list is lagging behind a bit and might be showing wrong versions due to the special release process for this. Should be fixed by the end of the day.

spex · April 10, 2026, 1:46pm

On the same day a new python version was released that contains the long awaited openssl update:

Python 3.13.13 final Release date: 2026-04-07

Windows

gh-144551: Updated bundled version of OpenSSL to 3.0.19.

When can we expect this to be included to fix the following CVEs:

Hannes · April 15, 2026, 8:28am

We’re working on an update for Python in the Windows agent, but I cannot give you an ETA unfortunately.

I just want to point out for completeness sake that all CVEs in your screenshot are OpenSSL CVEs, so this is unrelated to the Python version on the server side. Here we ship OpenSSL directly. 2.4.0 ships OpenSSL 3.0.19, the beta ships 3.5.4 (and should be updated too, but like I said, unrelated to the Python version).

spex · April 15, 2026, 8:46am

The checkmk server itself is not our concern currently. Every windows server that is in checkmk monitoring has a finding regarding openssl (from python from checkmk) and that are many. So there are a lot of people asking me to fix this problem including it-security for some longer time. Because of the delay there are some people who demand to look for another solution…becoming more and more.

Since python for windows has this fix included all is in your hands.

LaSoe · April 22, 2026, 3:13pm

Any news on the Python package update shipped with the Windows Agent?

It shouldn’t be too difficult to replace the bundled Python package with the new 3.13.13 version released 07.04.2026, right?

Sara · May 7, 2026, 2:24pm

Hi Lars!

We just released 2.4p28 with the Python update: Werk #19571: Update Windows agent Python runtime from 3.13.11 to 3.13.13