SB20260629126 - Multiple vulnerabilities in Icinga

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB20260629126

SB20260629126 - Multiple vulnerabilities in Icinga

Published: June 29, 2026

Security Bulletin ID SB20260629126
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Input validation error (CVE-ID: N/A)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper input validation in the /v1/objects API endpoint when writing template names to generated configuration files. A remote privileged user can submit a specially crafted request to escalate privileges.

Exploitation is limited to API users with permission to create configuration objects.


2) Stack-based buffer overflow (CVE-ID: N/A)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to stack-based buffer overflow in the JSON parser when processing deeply nested JSON objects. A remote attacker can send specially crafted JSON input to cause a denial of service.

The affected code is reachable by unauthenticated clients over the network. The possibility of code execution cannot be ruled out, but it has not been demonstrated.


3) Improper access control (CVE-ID: N/A)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to take control over the node.

The vulnerability exists due to improper access control in certificate update JSON-RPC message handling when processing certificate update messages. A remote attacker can send a specially crafted certificate update message to take control over the node.

An attacker can update both the node's own certificate and the trusted CA certificate, enabling impersonation of a trusted node.


Remediation

Install update from vendor's website.

References