Werk #16917: Fix BI aggregations leaking host/service names to restricted users
| Component | BI | ||||||||
| Title | Fix BI aggregations leaking host/service names to restricted users | ||||||||
| Date | Apr 29, 2026 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Bug Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
Previously, frozen BI aggregations could expose details about hosts and services (e.g. their names) to users with restricted access. When such a user queried an aggregation, elements they were not permitted to see appeared as "Service/Host not found", revealing that those hosts or services exist.
Restricted users will no longer see elements they are not authorized to access. Elements that genuinely don't exist (e.g. removed or vanished hosts/services) are still reported as "not found".
We thank Marcus Klein (ITeratio GmbH) for reporting this issue.
Who's Affected:
All Checkmk installations using frozen BI aggregations where at least some users have restricted host/service visibility.
Affected Versions:
- 2.5.0
- 2.4.0
- 2.3.0
- 2.2.0 (EOL)
Mitigations:
If updating is not possible, you can disable frozen aggregations or revoke restricted users' access to BI aggregation views.
Vulnerability Management:
We have rated the issue with a CVSS Score of 2.3/Low
(CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) and assigned
CVE-2026-7485.