Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #18994: Fix host enumeration in deploy_agent

Component Core & setup
Title Fix host enumeration in deploy_agent
Date Feb 20, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p23 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p43 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

Before this fix, the check_mk/deploy_agent.py endpoint allowed unauthenticated users to enumerate existing hosts by observing different HTTP responses.

By providing a host name without a valid secret, an attacker could distinguish between "This host is not registered" and "Invalid host secret" because the endpoint verified the host's existence before checking the authentication secret.

The endpoint logic has been updated to return a consistent, generic response regardless of whether the host exists or the secret is incorrect, ensuring that host presence is no longer leaked to unauthenticated users.

We thank an external contributer for reporting this issue.

Who's Affected:

This issue affects the all editions of Checkmk in the default configuration.

Affected Versions:

  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Vulnerability Management:

We have rated the issue with a CVSS Score of 6.3 Medium (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) and assigned CVE-2026-2859.

To the list of all Werks