CVE-2026-7765
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk13th percentile - higher than 13% of all known CVEs
Summary
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 allows the message-fetching endpoints to return the dashboard creator's messages instead of the viewer's. An attacker who knows a valid public dashboard share token can read the issuer's personal messages by sending requests to the underlying endpoint.
Risk Assessment
The organization may be exposed to the disclosure of sensitive information, potentially leading to privacy breaches and loss of trust in the system.
Recommendation
It is recommended to update Checkmk to version 2.5.0p5 or later to mitigate this vulnerability and review the access policy for dashboards.
Original NVD description (English source)
Incorrect authorization in the User Messages dashboard widget in Checkmk <2.5.0p5 causes the message-fetching endpoints to return the dashboard creator's messages rather than the viewer's, allowing an attacker who knows a valid public dashboard share token to read the issuer's personal messages by sending requests to the underlying endpoint, even without a User Messages widget present.

