Werk #18983: Fix permissions on various REST API endpoints
| Component | REST API | ||||
| Title | Fix permissions on various REST API endpoints | ||||
| Date | Nov 12, 2025 | ||||
| Level | Trivial Change | ||||
| Class | Security Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Several REST API endpoints previously lacked proper validation of user permissions.
As a result, any authenticated user could invoke these endpoints, allowing them to perform actions they did not have proper permissions for.
The affected endpoints are:
/objects/service_discovery_run/{host_name}-- showing the last service discovery background job on a host/objects/service_discovery/{host_name}-- showing the current service discovery result/objects/service_discovery_run/{host_name}/actions/wait-for-completion/invoke-- testing for service discovery completion/domain-types/activation_run/collections/pending_changes-- showing all pending changes/domain-types/activation_run/collections/running_changes-- showing all running changes/objects/host/{host_name}/actions/update_discovery_phase/invoke-- updating the discovery phase of a service/domain-types/sla/actions/compute/invoke-- computing SLA data/objects/background_job/{job_id}-- showing the status of a background job
The appropriate permissions are now required and documented for these endpoints.
This vulnerability was identified in a commissioned penetration test conducted by PS Positive Security GmbH.
Who's Affected:
This issue affects all editions of Checkmk in the default configuration.
Affected Versions:
- 2.4.0
- 2.3.0
- 2.2.0
Vulnerability Management:
We have rated the issue with a CVSS Score of 5.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) and assigned CVE-2025-58121.