Explore the latest product updates and best practices at our hybrid Checkmk Conference #12 from June 16-18, 2026 – Register here
back to website

Werk #19041: FIX Deleting a password as a non-priviledged user via REST API/Quick Setup wiped all passwords not editable by the current user

Component Setup
Title FIX Deleting a password as a non-priviledged user via REST API/Quick Setup wiped all passwords not editable by the current user
Date Feb 24, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
2.6.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.5.0b1
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.4.0p23
Not yet released 		Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)
2.3.0p43 Checkmk Raw (CRE), Checkmk Enterprise (CEE), Checkmk Cloud (CCE), Checkmk MSP (CME)

The function remove_password() previously loaded only the subset of passwords editable by the current user and saved that subset back to disk. As a result, when any password was removed, all passwords outside the user's editable scope were deleted unintentionally.

This behavior allowed a monitoring user (role "user") who belongs to at least one contact group and owns one or more passwords to trigger unauthorized deletion. By deleting their own password via the Quick Setup UI or the REST API, the user inadvertently caused all passwords owned by groups outside their contact-group membership to be silently wiped in the same operation.

This could lead to unexpected loss of passwords and disrupt services relying on those credentials.

The fix updates remove_password() to load the complete password store, verify that the target password is within the user's editable set, remove only that specific entry, and then write the entire password store back to disk.

Note: The issue did not apply to the normal deletion of passwords via the Setup > Passwords entrypoint.

This issue was found during internal review.

Who is affected?

Administrators who store passwords in the Checkmk password store and whose site also has monitoring users (role "user") that are members of at least one contact group.

Affected Versions

  • 2.4.0
  • 2.3.0
  • 2.2.0 (EOL)

Mitigations

Restrict the Password management permission to administrators only, until the fix is applied.

Indicators of Compromise

Check var/check_mk/wato/passwords.mk for unexpected loss of password entries, and review the audit log (Setup → Audit log) for delete-password entries created by non-administrator users.

Vulnerability Management

We have rated the issue with a CVSS Score of 5.3 Medium (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N) and assigned CVE-2026-3103.

To the list of all Werks