Description
Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.
Published: 2026-03-24
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Session Hijacking
Action: Immediate Patch
AI Analysis

Impact

A checkmk configuration signing secret is exposed in versions prior to 2.4.0p23, 2.3.0p45 and the 2.2.0 release. Armed with this secret an administrator who has access to a remote site that participates in configuration synchronization can forge session cookies for the central site. The forged cookies grant the attacker full access to the central instance, effectively hijacking any authenticated session and enabling them to view, modify or delete data and configuration across the monitored environment. This vulnerability enables unauthorized credential misuse and could lead to complete compromise of the central management system.

Affected Systems

The affected product is Checkmk by Checkmk GmbH. Versions impacted are any releases prior to 2.4.0p23, prior to 2.3.0p45 and the 2.2.0 release. All older releases of the product are considered vulnerable unless they have been upgraded beyond the stated thresholds.

Risk and Exploitability

The CVSS score of 7.3 classifies the flaw as high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, yet the necessary conditions for exploitation—access to a remote site with configuration sync enabled—are realistic for operators that manage distributed deployments. An attacker who controls one node can generate valid session tokens for the central node, a direct path to privilege escalation and data disclosure. The risk remains significant for organizations maintaining distributed Checkmk installations without immediately applying the patch.

Generated by OpenCVE AI on March 24, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to any version not affected (≥2.4.0p23, ≥2.3.0p45, or 2.2.1 and later).
  • If an upgrade cannot be performed instantly, disable or remove configuration synchronization between sites or restrict it to trusted administrators only.

Generated by OpenCVE AI on March 24, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/18954 cve-icon cve-icon
History

Tue, 24 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Exposure of session signing secret in Checkmk <2.4.0p23, <2.3.0p45 and 2.2.0 allows an administrator of a remote site with config sync enabled to hijack sessions on the central site by forging session cookies.
Title Session hijacking via exposed session signing secret in distributed Checkmk setups
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-522
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-03-25T03:55:50.621Z

Reserved: 2025-11-12T09:16:24.093Z

Link: CVE-2025-64998

cve-icon Vulnrichment

Updated: 2026-03-24T14:05:15.260Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T12:16:11.930

Modified: 2026-03-24T15:53:48.067

Link: CVE-2025-64998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:45Z

Weaknesses