Werk #19815: User Messages widget leaked issuer messages on shared dashboards
| Component | User interface | ||
| Title | User Messages widget leaked issuer messages on shared dashboards | ||
| Date | Apr 30, 2026 | ||
| Level | Trivial Change | ||
| Class | Security Fix | ||
| Compatibility | Compatible - no manual interaction needed | ||
| Checkmk versions & editions |
|
The "User messages" dashboard widget retrieved messages via a token-authenticated endpoint that returned the messages of the dashboard's token issuer (the user who created the share link), not of the user viewing the page.
As a result, anyone in possession of a share token for a public dashboard could read the issuer's personal user messages by sending a request to the underlying endpoint, even if the dashboard did not contain a "User messages" widget at all.
With this change, the "User messages" widget no longer fetches messages on shared dashboards and renders a "Not available on shared dashboards" placeholder instead, mirroring the behavior of the "Sidebar element" widget. The endpoint that backed the widget on shared dashboards (get_user_messages_token_auth.py) is removed; requests to it now return 404.
Who's Affected:
All editions of Checkmk are affected, regardless of which user roles are configured. Exploitation requires the attacker to know a valid public dashboard share token of the targeted user.
Affected Versions:
- 2.5.0
Mitigations:
Until the fix is applied, revoke any shared-dashboard tokens whose issuers may hold sensitive user messages.
Vulnerability Management:
We have rated the issue with a CVSS score of 6.3 (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) and assigned CVE CVE-2026-7765.
This issue was found by internal review.