CVE-2026-2859 MEDIUM

CVE-2026-2859: Unauthenticated Host Enumeration via Observable Response Discrepancy on Deploy Agent Endpoint

Vendor Checkmk Gmbh
Product Checkmk
Weakness CWE-204
Published March 13, 2026
Last update March 13, 2026

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Improper permission enforcement in Checkmk versions 2.4.0 before 2.4.0p23, 2.3.0 before 2.3.0p43, and 2.2.0 (EOL) allows unauthenticated users to enumerate existing hosts by observing different HTTP response codes in deploy_agent endpoint, which could lead to information disclosure.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 13, 2026 Record updated