{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33456", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "state": "PUBLISHED", "assignerShortName": "Checkmk", "dateReserved": "2026-03-20T10:30:13.353Z", "datePublished": "2026-04-10T08:31:27.807Z", "dateUpdated": "2026-04-14T13:29:54.362Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Checkmk", "vendor": "Checkmk GmbH", "versions": [{"lessThan": "2.5.0b4", "status": "affected", "version": "2.5.0", "versionType": "semver"}, {"lessThan": "2.4.0p26", "status": "affected", "version": "2.4.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description."}], "impacts": [{"capecId": "CAPEC-15", "descriptions": [{"lang": "en", "value": "CAPEC-15: Command Delimiters"}]}], "metrics": [{"cvssV4_0": {"baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-140", "description": "CWE-140: Improper Neutralization of Delimiters", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2026-04-10T08:31:27.807Z"}, "references": [{"url": "https://checkmk.com/werk/17989", "tags": ["vendor-advisory"]}], "title": "Potential livestatus injection in notification test", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.5.0", "versionEndExcluding": "2.5.0b4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.4.0p26"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T03:55:37.035774Z", "id": "CVE-2026-33456", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:29:54.362Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33456", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T03:55:37.035774Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T12:47:46.627Z"}}], "cna": {"title": "Potential livestatus injection in notification test", "impacts": [{"capecId": "CAPEC-15", "descriptions": [{"lang": "en", "value": "CAPEC-15: Command Delimiters"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.1, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}}], "affected": [{"vendor": "Checkmk GmbH", "product": "Checkmk", "versions": [{"status": "affected", "version": "2.5.0", "lessThan": "2.5.0b4", "versionType": "semver"}, {"status": "affected", "version": "2.4.0", "lessThan": "2.4.0p26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://checkmk.com/werk/17989", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-140", "description": "CWE-140: Improper Neutralization of Delimiters"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.5.0b4", "versionStartIncluding": "2.5.0"}, {"criteria": "cpe:2.3:a:checkmk:checkmk:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "2.4.0p26", "versionStartIncluding": "2.4.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "shortName": "Checkmk", "dateUpdated": "2026-04-10T08:31:27.807Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33456", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:29:54.362Z", "dateReserved": "2026-03-20T10:30:13.353Z", "assignerOrgId": "f7d6281c-4801-44ce-ace2-493291dedb0f", "datePublished": "2026-04-10T08:31:27.807Z", "assignerShortName": "Checkmk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Livestatus injection in the notification test mode in Checkmk <2.5.0b4 and <2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description."}], "id": "CVE-2026-33456", "lastModified": "2026-04-13T15:02:06.187", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@checkmk.com", "type": "Secondary"}]}, "published": "2026-04-10T09:16:24.493", "references": [{"source": "security@checkmk.com", "url": "https://checkmk.com/werk/17989"}], "sourceIdentifier": "security@checkmk.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-140"}], "source": "security@checkmk.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.5.0,2.5.0b4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.4.0,2.4.0p26)"}}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Checkmk", "source": "cna", "vendor": "Checkmk GmbH"}, "product": "checkmk", "vendor": "checkmk"}], "analysis": {"en": {"generated_at": "2026-04-10T10:21:49.177379+00:00", "value": {"mitigation_remediation": ["Upgrade Checkmk to version 2.5.0b4 or later (or 2.4.0p26 for older series).", "Restrict or disable access to the notification test page for users without privileged access.", "Monitor system logs for unexpected Livestatus queries that could indicate injection attempts."], "summary": {"action": "Upgrade", "impact": "Livestatus command injection"}, "threat_synthesis": {"affected_systems": "Checkmk GmbH Checkmk installations running versions earlier than 2.5.0b4 in the 2.5 branch or earlier than 2.4.0p26 in the 2.4 branch are affected. Only deployments that use the legacy notification test feature are vulnerable; newer releases have addressed the issue.", "description_and_impact": "A flaw in Checkmk\u2019s notification test mode allows an authenticated user who can access the test page to insert crafted service descriptions that are interpreted as arbitrary Livestatus commands. The injected commands can then be executed against the monitoring system\u2019s Livestatus interface, enabling the attacker to query, modify, or otherwise manipulate monitoring data in ways not intended by the configuration.", "risk_and_exploitability": "The CVSS score of 5.1 indicates moderate severity. No EPSS value is provided, so the likelihood of exploitation remains uncertain. The vulnerability is not listed in CISA\u2019s KEV catalog. Because the flaw requires an authenticated user with access to the notification test page, the most likely attack vector is an internal attacker or one who has gained valid credentials and sufficient privileges. This inference is based on the description and is not explicitly detailed in the provided data."}}}}, "created": "2026-04-10T14:40:53.158203+00:00", "updated": "2026-04-13T13:06:16.647366+00:00", "vendors": ["checkmk", "checkmk$PRODUCT$checkmk"]}