Description
Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245.
Published: 2026-02-20
Score: 8.8 High
EPSS: 1.6% Low
KEV: No
Impact: Remote Code Execution via Command Injection
Action: Patch Now
AI Analysis

Impact

A command injection flaw in the Nagios Host monitoring wizard allows an authenticated attacker to execute arbitrary commands on the affected service account, potentially bypassing all other security controls. The vulnerability stems from insufficient validation of a user‑supplied string that is passed directly to a system call, classifying it as a CWE‑78 type flaw. Successful exploitation results in full compromise of the host running the Nagios service, with no indication of a limited scope of impact beyond the machine context.

Affected Systems

The issue is present in Nagios Host monitoring wizard components used by Nagios XI 2026r1‑0‑1. Any Nagios XI installation running this version prior to the published fix in the 2026r1 series is affected. Users of later patches, such as 2026r1‑0‑2 and beyond, are not impacted.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8, placing it in the high severity range, and an EPSS score of about 2 %, indicating that exploitation is possible but not widespread. It is not listed in the CISA KEV catalog. Authentication is required, so an attacker must first gain valid credentials or otherwise be able to submit authenticated requests to the monitoring wizard interface. The likely attack vector is a remote network request to the Nagios web interface, where the injection is triggered via a crafted parameter. Given these factors, the risk is significant for unpatched systems that are accessible to potential attackers.

Generated by OpenCVE AI on April 17, 2026 at 17:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Nagios XI patch (2026r1‑0‑2 or later) to remove the vulnerable monitoring wizard component
  • Update to the most recent release that includes the monitoring wizard CSP and input validation fixes
  • Configure the Nagios service account with the principle of least privilege, ensuring it has minimal rights and no shell access

Generated by OpenCVE AI on April 17, 2026 at 17:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nagios nagios Xi
CPEs cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*
Vendors & Products Nagios nagios Xi
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nagios
Nagios host
Vendors & Products Nagios
Nagios host

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245.
Title Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nagios Host Nagios Xi
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:13.112Z

Reserved: 2026-02-06T01:14:31.431Z

Link: CVE-2026-2042

cve-icon Vulnrichment

Updated: 2026-02-24T15:08:38.338Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:04.337

Modified: 2026-02-24T13:17:25.900

Link: CVE-2026-2042

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses