Description
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
Published: 2026-01-29
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality breach via improper folder permissions
Action: Patch immediately
AI Analysis

Impact

The Icinga 2 MSI installer for Windows sets incorrect ACLs on the %ProgramData%\icinga2\var folder in versions before 2.13.14, 2.14.8, and 2.15.2. This misconfiguration allows any local user to read the folder’s contents, including the service’s private key and synchronized configuration. As a result, sensitive credentials and configuration data are exposed, potentially enabling an attacker to impersonate the monitoring service or tamper with monitoring information. The weakness is classified as CWE‑276.

Affected Systems

All Windows installations of Icinga 2 running affected versions are vulnerable. Specifically, Icinga 2 versions earlier than 2.13.14, 2.14.8, or 2.15.2 have the misconfigured ACLs, as do Icinga for Windows packages older than v1.13.4, v1.12.4, or v1.11.2. The issue also extends to the PowerShell framework certificate directory used by the Windows agent.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity, while the EPSS score of less than 1 % suggests a low likelihood of commercial exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local user access; an attacker with local privileges can simply read the protected folder. Remote exploitation is not feasible without local access. In environments where local accounts have elevated privileges or where lateral movement is possible, the exposure of private keys could be critical.

Generated by OpenCVE AI on April 18, 2026 at 14:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Icinga 2 to at least version 2.13.14, 2.14.8, or 2.15.2, which include the ACL fix.
  • If using the Icinga for Windows service, upgrade to at least v1.13.4, v1.12.4, or v1.11.2 to apply the corrected permissions for the agent directory.
  • If upgrading is not possible, manually adjust the ACL on C:\\ProgramData\\icinga2\\var and C:\\Program Files\\WindowsPowerShell\\modules\\icinga-powershell-framework\\certificate, limiting access to the Icinga service account and administrators and removing rights for other local users.

Generated by OpenCVE AI on April 18, 2026 at 14:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft windows
CPEs cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft windows
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Fri, 30 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Icinga
Icinga icinga
Vendors & Products Icinga
Icinga icinga

Thu, 29 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 29 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
Description Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
Title Icinga has insecure permission of %ProgramData%\icinga2\var on Windows
Weaknesses CWE-276
References
Metrics cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Icinga Icinga
Microsoft Windows
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-29T21:23:20.671Z

Reserved: 2026-01-22T18:19:49.174Z

Link: CVE-2026-24413

cve-icon Vulnrichment

Updated: 2026-01-29T21:23:13.245Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-29T18:16:15.450

Modified: 2026-02-19T20:56:00.010

Link: CVE-2026-24413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T14:45:03Z

Weaknesses