Icinga vulnerabilities

CVE-2026-24413 [MEDIUM] CWE-276 CVE-2026-24413: Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.1 Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by a

CVE-2025-61908 [HIGH] CWE-476 CVE-2025-61908: Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, whe Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix i

CVE-2025-61907 [HIGH] CWE-200 CVE-2025-61907: Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expres Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables

CVE-2025-61909 [MEDIUM] CWE-250 CVE-2025-61909: Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can all

CVE-2025-48057 [CRITICAL] CWE-296 CVE-2025-48057: Icinga 2 is a monitoring system which checks the availability of network resources, notifies users o Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious cer

CVE-2024-49369 [CRITICAL] CWE-295 CVE-2024-49369: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client

CVE-2024-24820 [HIGH] CWE-352 CVE-2024-24820: Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga D Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness o

CVE-2021-37698 [HIGH] CWE-295 CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2

CVE-2021-32743 [HIGH] CWE-202 CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to a

CVE-2021-32739 [HIGH] CWE-267 CVE-2021-32739: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attrib

CVE-2021-32746 [MEDIUM] CWE-22 CVE-2021-32746: Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Betwe Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. Between versions 2.3.0 and 2.8.2, the `doc` module of Icinga Web 2 allows to view documentation directly in the UI. It must be enabled manually by an administrator and users need explicit access permission to use it. Then, by visiting a certain route, it is

CVE-2021-32747 [MEDIUM] CWE-200 CVE-2021-32747: Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vu Icinga Web 2 is an open source monitoring web interface, framework, and command-line interface. A vulnerability in which custom variables are exposed to unauthorized users exists between versions 2.0.0 and 2.8.2. Custom variables are user-defined keys and values on configuration objects in Icinga 2. These are commonly used to reference secrets in ot

CVE-2020-29663 [CRITICAL] CWE-295 CVE-2020-29663: Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3.

CVE-2020-14004 [HIGH] CWE-59 CVE-2020-14004: An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the i An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged

CVE-2018-6535 [HIGH] CVE-2018-6535: An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker.

CVE-2018-6532 [HIGH] CWE-400 CVE-2018-6532: An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer.

CVE-2018-6533 [HIGH] CVE-2018-6533: An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933).

CVE-2018-6534 [MEDIUM] CWE-476 CVE-2018-6534: An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attac An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.

CVE-2018-6536 [MEDIUM] CWE-732 CVE-2018-6536: An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dr An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for icinga2.pid modification before a root script executes a "kill `cat /pathname/icinga2.pid`" command, as

CVE-2017-16933 [HIGH] CWE-732 CVE-2017-16933: etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-wr etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.