Nagios XI Command Injection Vulnerability in Configuration Wizards

A command injection vulnerability has been identified in Nagios XI versions prior to 2026R1. This vulnerability resides within the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, and Postgres Query wizards. It allows authenticated users to inject shell characters into arguments, which could then be used to execute arbitrary system commands on the host machine as the 'nagios' user.

Impact

Exploitation of this vulnerability allows for authenticated command injection, leading to arbitrary command execution on the server where Nagios XI is installed.

Reproduction

To reproduce this vulnerability, an authenticated user can navigate to the 'Configuration Wizard' section and select either the MongoDB Database, MySQL Query, MySQL Server, Postgres Server, or Postgres Query wizards. While configuring these wizards, inject shell metacharacters into the command arguments. Once the wizard is saved, the injected commands will be executed on the server as the 'nagios' user.

Remediation

Users can upgrade to Nagios XI 2026R1 or later, where this vulnerability has been fixed.