Werk #19032: Check permission for Analyze Configuration page
| Component | Setup | ||||||||
| Title | Check permission for Analyze Configuration page | ||||||||
| Date | Jan 16, 2026 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
The "Analyze configuration" page did not properly enforce the "Access analyze configuration" permission. This allowed users without this permission to access the page directly via its URL and potentially perform actions such as disabling checks or acknowledging results.
Details
- The menu link to the "Analyze configuration" page was hidden for users lacking the "Access analyze configuration" permission.
- However, users with the "Use WATO" permission could still access the page by entering the URL directly.
- If these users also had the "Make changes, perform actions" permission, they could disable checks and acknowledge check results.
Impacted user roles:
- Users with the default "Normal monitoring user" role (who lack "Access analyze configuration" but have the other permissions) were able to access the page and perform actions they should not have been able to.
- Users with the default "Guest user" role (who lack all relevant permissions) were not affected.
The "Access analyze configuration" permission is now correctly enforced when accessing the page.
Who's Affected
All editions of Checkmk are affected in the default configuration.
Affected Versions
- 2.4.0
- 2.3.0
- 2.2.0 (EOL)
Recommended Mitigations
Validate that all desired checks in "Analyze configuration" are enabled and that no findings are unexpectedly acknowledged.
Vulnerability Management
We have rated the issue with a CVSS score of 5.3 Medium is assigned (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N) and assigned CVE-2026-24095.