Primary

Context

Checkmk User Messages Widget Incorrect Authorization Vulnerability

Vulnerability

Patched

A vulnerability exists in Checkmk versions through 2.5.0p5 within the User Messages dashboard widget. The issue arises from incorrect authorization, allowing the message-fetching endpoints to return messages from the dashboard creator instead of the viewer. This flaw enables an attacker with knowledge of a valid public dashboard share token to access the issuer's personal messages by sending requests to the affected endpoint, even if the User Messages widget is not present on the dashboard.

Impact

Exploitation of this vulnerability allows unauthorized access to personal user messages of the dashboard's token issuer.

Remediation

Users are advised to revoke any shared-dashboard tokens that may grant access to sensitive user messages. The vulnerability has been fixed in Checkmk version 2.5.0p6.

Added: Jun 8, 2026, 1:24 PM

Updated: Jun 8, 2026, 1:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.6

exploitability

6.0

remediation

7.9

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.8

impact

0.6

exploitability

6.0

remediation

7.9

relevance

9.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Checkmk User Messages Widget Incorrect Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Checkmk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating