Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #18993: Fix host enumeration in agent-receiver

Component Core & setup
Title Fix host enumeration in agent-receiver
Date Feb 19, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p23 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p43 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Before this fix, the agent-receiver/register_existing endpoint allowed any authenticated user to enumerate existing hosts by observing different HTTP response codes.

Because the endpoint logic verified a host's existence before checking user permissions, it was possible for an unauthorized user to differentiate between a 404 Not Found (host does not exist) and a 403 Forbidden (host exists, but access is denied).

The endpoint logic has been updated to respond with a 403 Forbidden when the host does not exist and the user has not the right level of privileges.

We thank an external contributer for reporting this issue.

Who's Affected:

This issue affects the all editions of Checkmk in the default configuration.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 5.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) and assigned CVE-2026-24097.

To the list of all Werks