Werk #17105: Fix secrets added to URL query params

Component Setup
Title Fix secrets added to URL query params
Date Aug 7, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0p13 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p46 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previously, under specific conditions (toggling page navigation after receiving validation errors when submitting a form), passwords and other secrets entered in the form could be exposed in URL query parameters. Importantly, this did not affect any stored secrets; only the data just entered by the user was at risk. This could result in sensitive data being leaked, for example, to server logs.

Such sensitive information is now excluded from the URL query parameters.

This issue was reported to us by an external party.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 1.0 Low (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N) and assigned CVE-2025-32916.

To the list of all Werks