Werk #17105: Fix secrets added to URL query params

Component	Setup
Title	Fix secrets added to URL query params
Date	Aug 7, 2025
Level	Trivial Change
Class	Security Fix
Compatibility	Compatible - no manual interaction needed
Checkmk versions & editions	2.5.0b1 Not yet released Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.4.0p13 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.3.0p38 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME) 2.2.0p46 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previously, under specific conditions (toggling page navigation after receiving validation errors when submitting a form), passwords and other secrets entered in the form could be exposed in URL query parameters. Importantly, this did not affect any stored secrets; only the data just entered by the user was at risk. This could result in sensitive data being leaked, for example, to server logs.

Such sensitive information is now excluded from the URL query parameters.

This issue was reported to us by an external party.

Affected Versions:

• 2.4.0
• 2.3.0
• 2.2.0
• 2.1.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 1.0 Low (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N) and assigned CVE-2025-32916.

To the list of all Werks