Werk #18681: Fix permissions for show agent information REST API endpoints

Component

REST API

Title

Fix permissions for show agent information REST API endpoints

Date

Nov 12, 2025

Level

Trivial Change

Class

Security Fix

Compatibility

Compatible - no manual interaction needed

Checkmk versions & editions

2.5.0b1 Not yet released	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p17	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p42 Not yet released	Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Before this fix the REST API endpoint to show agent information, i.e. check_mk/api/1.0/domain-types/agent/collections/all, lacked proper validation of user permissions. As a result, the endpoint could be invoked by any authenticated user, potentially enabling them to retrieve sensitive information such as agent configurations and associated secrets.

The appropriate permissions are now required and documented in the REST API documentation.

This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.

Who's Affected:

This issue affects the commercial editions of Checkmk in the default configuration.

Affected Versions:

2.4.0
2.3.0
2.2.0

Vulnerability Management:

We have rated the issue with a CVSS Score of 6.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N) and assigned CVE-2025-64997.

To the list of all Werks