216.73.217.176

CVE-2026-24413

· Published 29/01/2026 18:16 · Modified 29/01/2026 18:54

Labels: CVE-2026-24413 2026-01-29CVE-2026-24413CWE-276[email protected]

Essential information

Published
29/01/2026 18:16
Modified
29/01/2026 18:54
Author
Creator
CVSS
6.8 MEDIUM (v3) 6.8 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.

NVD status

Status
Awaiting Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
icinga / icinga cpe:2.3:a:icinga:icinga:2.3.0-2.13.13:*:*:*:*:*:*:*
icinga / icinga cpe:2.3:a:icinga:icinga:2.14.0-2.14.8:*:*:*:*:*:*:*
icinga / icinga cpe:2.3:a:icinga:icinga:2.15.0-2.15.2:*:*:*:*:*:*:*
icinga / icinga for windows cpe:2.3:a:icinga:icinga_for_windows:1.11.2-1.13.4:*:*:*:*:*:*:*

References