Description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
Published: 2026-03-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated GET request to the /api/v1/status-page/:url endpoint exposes full status page information even if it has not been published. This lack of authentication and publication state verification represents a CWE-200 Information Exposure vulnerability. The endpoint omits authentication checks and does not verify publication state, allowing any user to retrieve internal hardware, uptime, response time, and incident details. This information disclosure can lead to compromised confidentiality of server infrastructure and operational insights.

Affected Systems

The vulnerability affects the open‑source Checkmate tool provided by bluewave‑labs. All installations running any version older than 3.4.0 are susceptible, as the fix was introduced in that release.

Risk and Exploitability

The CVSS score of 5.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Attackers can simply issue an unauthenticated HTTP GET request to the vulnerable endpoint without needing special permissions, making the exploit straightforward.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmate to version 3.4.0 or newer to apply the official fix.
  • If upgrading is delayed, restrict unauthenticated access to the /api/v1/status-page/:url endpoint using firewall rules or reverse‑proxy authentication, ensuring only trusted hosts can query it.
  • Continuously monitor API logs for suspicious GET requests to the status‑page endpoint and investigate any unauthorized attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Bluewavelabs
Bluewavelabs checkmate
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:bluewavelabs:checkmate:*:*:*:*:*:*:*:*
Vendors & Products Bluewavelabs
Bluewavelabs checkmate

Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Bluewave-labs
Bluewave-labs checkmate
Vendors & Products Bluewave-labs
Bluewave-labs checkmate

Sat, 07 Mar 2026 06:00:00 +0000

Type Values Removed Values Added
Description Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
Title Checkmate: Unauthenticated Access to Unpublished Status Page
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Bluewave-labs Checkmate
Bluewavelabs Checkmate
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T17:58:13.860Z

Reserved: 2026-03-05T21:06:44.606Z

Link: CVE-2026-30829

cve-icon Vulnrichment

Updated: 2026-03-10T17:50:33.556Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-07T06:16:10.957

Modified: 2026-03-11T18:56:04.560

Link: CVE-2026-30829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:15:18Z

Weaknesses