CVE-2026-7765
Description
Checkmk <2.5.0p5 allows attackers with a public dashboard share token to read the dashboard creator's messages.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Checkmk <2.5.0p5 allows attackers with a public dashboard share token to read the dashboard creator's messages.
Vulnerability
Incorrect authorization in the User Messages dashboard widget in Checkmk versions prior to 2.5.0p5 allows the message-fetching endpoints to return the dashboard creator's messages instead of the viewer's. This affects all editions of Checkmk [1].
Exploitation
An attacker needs to know a valid public dashboard share token for a dashboard. By sending requests to the underlying endpoint, the attacker can retrieve the issuer's personal messages, even if the dashboard does not contain a User Messages widget [1].
Impact
An attacker can read the personal messages of the dashboard creator (issuer). This results in the disclosure of sensitive information [1].
Mitigation
Checkmk versions 2.5.0p5 and later contain a fix for this issue. Until the fix is applied, users should revoke any shared-dashboard tokens whose issuers may hold sensitive user messages. The endpoint get_user_messages_token_auth.py has been removed in the patched versions [1].
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
1a35953b1c7f8Fix stale success state in GenerateToken after token reset
1 file changed · +9 −1
packages/cmk-frontend-vue/src/mode-host/agent-connection-test/components/GenerateToken.vue+9 −1 modified@@ -4,7 +4,7 @@ This file is part of Checkmk (https://checkmk.com). It is subject to the terms a conditions defined in the file COPYING, which is part of this source code package. --> <script setup lang="ts"> -import { computed, ref } from 'vue' +import { computed, ref, watch } from 'vue' import { Api } from '@/lib/api-client' import usei18n from '@/lib/i18n' @@ -50,6 +50,14 @@ const ottGenerated = ref(false) const ottError = ref<Error | null>(null) const ottExpiry = ref<Date | null>(null) const noOTT = ref(false) + +watch(ott, (newValue) => { + if (newValue === null) { + ottGenerated.value = false + ottError.value = null + ottExpiry.value = null + } +}) const api = new Api('api/internal/', [['Content-Type', 'application/json']]) const tokenGenerationBody = ref<IAgentTokenGenerationRequestBody>(props.tokenGenerationBody)
Vulnerability mechanics
Root cause
"Incorrect authorization logic in the User Messages dashboard widget allows unauthorized access to messages."
Attack vector
An attacker can exploit this vulnerability by obtaining a valid public dashboard share token. By sending requests to the message-fetching endpoints with this token, the attacker can trick the system into returning the dashboard creator's personal messages instead of the viewer's. This attack is possible even if the User Messages widget is not present on the dashboard.
Affected code
The vulnerability lies within the User Messages dashboard widget, specifically in how message-fetching endpoints handle authorization. The provided patch modifies the `packages/cmk-frontend-vue/src/mode-host/agent-connection-test/components/GenerateToken.vue` file.
What the fix does
The patch modifies the `GenerateToken.vue` file by adding a `watch` effect. This effect resets the `ottGenerated`, `ottError`, and `ottExpiry` states when the `ott` value becomes null. This change ensures that the token generation state is properly managed, preventing potential stale states that could lead to authorization issues.
Preconditions
- inputAttacker must know a valid public dashboard share token.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.