Werk #18982: Fix permissions for notification parameter REST API endpoints
| Component | REST API | ||||
| Title | Fix permissions for notification parameter REST API endpoints | ||||
| Date | Nov 5, 2025 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Before this fix the REST API endpoints to configure notification parameters, i.e. check_mk/api/1.0/objects/configuration_entity/*, lacked proper validation of user permissions.
As a result, these endpoints could be invoked any authenticated user, even if they didn't have the notification_plugin.* permissions, potentially allowing them to obtain sensitive information or modify with notification templates.
The appropriate permissions are now required and documented in the REST API documentation.
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
Who's Affected:
This issue affects all editions of Checkmk in the default configuration.
Affected Versions:
- 2.4.0
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) and assigned CVE-2025-58122.