Werk #20078: Enforce CSRF token verification on global settings toggle buttons
| Component | Core & setup | ||||||
| Title | Enforce CSRF token verification on global settings toggle buttons | ||||||
| Date | Jun 29, 2026 | ||||||
| Level | Trivial Change | ||||||
| Class | New Feature | ||||||
| Compatibility | Compatible - no manual interaction needed | ||||||
| Checkmk versions & editions |
|
Previously, the toggle buttons on the global settings page were not protected by a CSRF token. This was not exploitable in practice: the requests were guarded by transaction IDs, which an attacker would have needed to guess, providing solid protection against cross-site request forgery (CSRF).
With this fix, all toggle actions on the global settings page verify the CSRF token before being executed.