Catch up on the latest product updates, best practices, and expert insights from the Checkmk Conference #12 – Watch the livestream recordings now

Werk #20078: Enforce CSRF token verification on global settings toggle buttons

Component Core & setup
Title Enforce CSRF token verification on global settings toggle buttons
Date Jun 29, 2026
Level Trivial Change
Class New Feature
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
3.0.0b1
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.5.0p9
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p34
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT

Previously, the toggle buttons on the global settings page were not protected by a CSRF token. This was not exploitable in practice: the requests were guarded by transaction IDs, which an attacker would have needed to guess, providing solid protection against cross-site request forgery (CSRF).

With this fix, all toggle actions on the global settings page verify the CSRF token before being executed.

To the list of all Werks