Description
Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.
Published: 2026-04-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Patch Now
AI Analysis

Impact

The vulnerability arises from inadequate sanitization of the service description field on the prediction graph page, allowing an authenticated user to inject arbitrary Livestatus commands. This could let the attacker execute unintended commands within the Checkmk environment, potentially exposing sensitive monitoring data or manipulating the system’s state, thereby compromising data integrity and confidentiality. The weakness aligns with a command injection attack.

Affected Systems

The affected product is Checkmk by Checkmk GmbH. Versions before 2.5.0b4, before 2.4.0p26, and before 2.3.0p47 are vulnerable. It specifically affects the prediction graph interface where service names are processed.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires an authenticated Checkmk session and manipulation of the service name parameter; once achieved, arbitrary Livestatus commands can be executed. The risk of exploitation is moderate and depends on attacker access to a valid user account.

Generated by OpenCVE AI on April 10, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Checkmk to version 2.5.0b4 or newer
  • Confirm that the prediction graph page is no longer vulnerable after the update
  • If an immediate upgrade is not possible, restrict authenticated user access and monitor for unusual Livestatus activity

Generated by OpenCVE AI on April 10, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://checkmk.com/werk/17990 cve-icon cve-icon
History

Fri, 10 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.
Title Potential livestatus injection in prediction graph page
First Time appeared Checkmk
Checkmk checkmk
Weaknesses CWE-140
CPEs cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*
Vendors & Products Checkmk
Checkmk checkmk
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Checkmk Checkmk
cve-icon MITRE

Status: PUBLISHED

Assigner: Checkmk

Published:

Updated: 2026-04-10T12:47:24.094Z

Reserved: 2026-03-20T10:30:13.353Z

Link: CVE-2026-33457

cve-icon Vulnrichment

Updated: 2026-04-10T12:47:20.307Z

cve-icon NVD

Status : Received

Published: 2026-04-10T09:16:24.630

Modified: 2026-04-10T09:16:24.630

Link: CVE-2026-33457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T14:40:52Z

Weaknesses