Catch up on the latest product updates, best practices, and expert insights from the Checkmk Conference #12 – Watch the livestream recordings now

Werk #20104: mk_sap_hana: Privilege escalation via crafted sapstartsrv process name

Component Checks & agents
Title mk_sap_hana: Privilege escalation via crafted sapstartsrv process name
Date Jul 7, 2026
Level Trivial Change
Class Security Fix
Compatibility Compatible - no manual interaction needed
Checkmk versions & editions
3.0.0b1
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.5.0p9
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.4.0p34 Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Cloud, Checkmk Ultimate MT
2.3.0p49
Not yet released
Checkmk Community, Checkmk Pro, Checkmk Ultimate, Checkmk Ultimate MT

Without an explicit database configuration, the mk_sap_hana agent plugin discovers SAP HANA instances from the running processes and uses the derived instance identifier to build a command that it runs with elevated privileges. Because any local user can freely choose the name of a process they start, an unprivileged user could disguise a process as a SAP HANA instance and smuggle additional commands into that identifier, which the plugin would then execute as root.

With this werk the plugin only accepts values matching the exact shape of a genuine SAP HANA instance, so attacker-controlled input can no longer influence the privileged command.

This issue was found by internal review.

Who is Affected

Systems running the Linux agent with the mk_sap_hana plugin enabled, where the plugin runs as root and discovers instances from the process list. The escalation to root requires RUNAS=agent.

Affected Checkmk Versions

  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.0(EOL)

Vulnerability Management

We have rated the issue with a CVSS Score of 5.2 (Medium) with the following CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H and assigned CVE-2026-14852.

To the list of all Werks