Werk #20104: mk_sap_hana: Privilege escalation via crafted sapstartsrv process name
| Component | Checks & agents | ||||||||
| Title | mk_sap_hana: Privilege escalation via crafted sapstartsrv process name | ||||||||
| Date | Jul 7, 2026 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
Without an explicit database configuration, the mk_sap_hana agent plugin
discovers SAP HANA instances from the running processes and uses the derived
instance identifier to build a command that it runs with elevated privileges.
Because any local user can freely choose the name of a process they start, an
unprivileged user could disguise a process as a SAP HANA instance and smuggle
additional commands into that identifier, which the plugin would then execute
as root.
With this werk the plugin only accepts values matching the exact shape of a genuine SAP HANA instance, so attacker-controlled input can no longer influence the privileged command.
This issue was found by internal review.
Who is Affected
Systems running the Linux agent with the mk_sap_hana plugin enabled, where the
plugin runs as root and discovers instances from the process list. The
escalation to root requires RUNAS=agent.
Affected Checkmk Versions
- 2.5.0
- 2.4.0
- 2.3.0
- 2.2.0(EOL)
Vulnerability Management
We have rated the issue with a CVSS Score of 5.2 (Medium) with the following
CVSS vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H
and assigned CVE-2026-14852.