Werk #17984: Path-Traversal in report scheduler

Component Reporting & availability
Title Path-Traversal in report scheduler
Date Aug 13, 2025
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.4.0p13 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p38 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.2.0p46 Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Previous to this Werk it was possible that an authenticated user could perform Path-traversal attacks against the site's local file directory by use of the report scheduler. This issue was made possible due to insufficient escaping of macros which could allow an attacker to make use of a generated .mk file to overide existing .mk files.

Performing such an action could allow an attacker to break a site's configurations however as an attacker cannot break out of the predefined fields within the generated .mk file, this can only be used to DoS / break an affected site.

We thank Lisa Gnedt (SBA Research) for reporting this issue.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0
  • 2.1.0 (EOL)

Mitigations:

If you cannot update, it is advised that both the following roles Manage Own Scheduled Reports which by default is set to yes and the Manage All Scheduled Reports both be set to no for non-admin users within the site.

Furthermore, if you believe you may have been affected by this vulnerability that you conduct a manual review of all scheduled reports within your site and remove any schedules that contain titles with directory information.

Indicators of Compromise:

Checkmk will always generate both an .mk and .pdf file pair for each scheduled report. Therefore, any affected path within the site's file system can be identified by existence .pdf / .mk report file pairs.

Vulnerability Management:

We have rated the issue with a CVSS Score of 7.1 High (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) and assigned CVE-2025-39664.

To the list of all Werks