The vulnerability arises from incorrect authorization in the User Messages dashboard widget in Checkmk versions below 2.5.0p5. Affected endpoints that fetch messages return the creator's personal messages instead of those of the viewer, enabling an attacker to obtain sensitive communication intended only for the dashboard owner. This flaw results in the disclosure of private user messages, violating confidentiality and potentially exposing personal data. The flaw is categorized as a Missing Authorization issue, specifically CWE-863.

The flaw targets Checkmk by Checkmk GmbH, specifically all Checkmk Checkmk releases earlier than version 2.5.0p5. Systems that run a shared dashboard with public sharing enabled and contain the User Messages widget are susceptible. Any version in the vulnerable range, regardless of platform, is affected.

The CVSS score is 6.3, indicating a moderate severity. The EPSS score is not available, so exploitation likelihood cannot be quantified, but the flaw is publicly documented and can be leveraged if an attacker obtains a valid public dashboard share token. The vulnerability is not listed in the CISA KEV, though organizations should still consider patching immediately. An attacker can simply send requests to the underlying message endpoint using the known token, gaining the creator’s messages. The absence of an authorization check makes the exploitation straightforward once the token is known.