Icinga Icinga2 vulnerabilities

CVE-2026-24413 [MEDIUM] CWE-276 Icinga has insecure permission of %ProgramData%\icinga2\var on Windows Icinga has insecure permission of %ProgramData%\icinga2\var on Windows Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configura

CVE-2025-61908 [HIGH] CWE-476 CVE-2025-61908: Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, whe Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, when creating an invalid reference, such as a reference to null, dereferencing results in a segmentation fault. This can be used by any API user with access to an API endpoint that allows specifying a filter expression to crash the Icinga 2 daemon. A fix i

CVE-2025-61907 [HIGH] CWE-200 CVE-2025-61907: Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expres Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables

CVE-2025-61909 [MEDIUM] CWE-250 CVE-2025-61909: Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the Icinga 2 is an open source monitoring system. From 2.10.0 to before 2.15.1, 2.14.7, and 2.13.13, the safe-reload script (also used during systemctl reload icinga2) and logrotate configuration shipped with Icinga 2 read the PID of the main Icinga 2 process from a PID file writable by the daemon user, but send the signal as the root user. This can all

CVE-2025-48057 [CRITICAL] CWE-296 CVE-2025-48057: Icinga 2 is a monitoring system which checks the availability of network resources, notifies users o Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate() function can be tricked into incorrectly treating certificates as valid. This allows an attacker to send a malicious cer

CVE-2024-49369 [CRITICAL] CWE-295 CVE-2024-49369: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client

CVE-2021-37698 [HIGH] CWE-295 CVE-2021-37698: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions 2.5.0 through 2.13.0, ElasticsearchWriter, GelfWriter, InfluxdbWriter and Influxdb2Writer do not verify the server's certificate despite a certificate authority being specified. Icinga 2

CVE-2021-32743 [HIGH] CWE-202 CVE-2021-32743: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. In versions prior to 2.11.10 and from version 2.12.0 through version 2.12.4, some of the Icinga 2 features that require credentials for external services expose those credentials through the API to a

CVE-2021-32739 [HIGH] CWE-267 CVE-2021-32739: Icinga is a monitoring system which checks the availability of network resources, notifies users of Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. From version 2.4.0 through version 2.12.4, a vulnerability exists that may allow privilege escalation for authenticated API users. With a read-ony user's credentials, an attacker can view most attrib

CVE-2020-29663 [CRITICAL] CVE-2020-29663: Icinga 2 v2 Icinga 2 v2.8.0 through v2.11.7 and v2.12.2 has an issue where revoked certificates due for renewal will automatically be renewed, ignoring the CRL. This issue is fixed in Icinga 2 v2.11.8 and v2.12.3.

CVE-2020-14004 [HIGH] CVE-2020-14004: An issue was discovered in Icinga2 before v2 An issue was discovered in Icinga2 before v2.12.0-rc1. The prepare-dirs script (run as part of the icinga2 systemd service) executes chmod 2750 /run/icinga2/cmd. /run/icinga2 is under control of an unprivileged user by default. If /run/icinga2/cmd is a symlink, then it will by followed and arbitrary files can be changed to mode 2750 by the unprivileged icinga2 user.

CVE-2018-6532 [HIGH] CVE-2018-6532: An issue was discovered in Icinga 2 An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted (authenticated and unauthenticated) requests, an attacker can exhaust a lot of memory on the server side, triggering the OOM killer.

CVE-2018-6533 [HIGH] CVE-2018-6533: An issue was discovered in Icinga 2 An issue was discovered in Icinga 2.x through 2.8.1. By editing the init.conf file, Icinga 2 can be run as root. Following this the program can be used to run arbitrary code as root. This was fixed by no longer using init.conf to determine account information for any root-executed code (a larger issue than CVE-2017-16933).

CVE-2018-6535 [HIGH] CVE-2018-6535: An issue was discovered in Icinga 2 An issue was discovered in Icinga 2.x through 2.8.1. The lack of a constant-time password comparison function can disclose the password to an attacker.

CVE-2018-6534 [MEDIUM] CVE-2018-6534: An issue was discovered in Icinga 2 An issue was discovered in Icinga 2.x through 2.8.1. By sending specially crafted messages, an attacker can cause a NULL pointer dereference, which can cause the product to crash.

CVE-2018-6536 [MEDIUM] CVE-2018-6536: An issue was discovered in Icinga 2 An issue was discovered in Icinga 2.x through 2.8.1. The daemon creates an icinga2.pid file after dropping privileges to a non-root account, which might allow local users to kill arbitrary processes by leveraging access to this non-root account for icinga2.pid modification before a root script executes a "kill `cat /pathname/icinga2.pid`" command, as demonstrated by icinga2.init.d.cmake.

CVE-2017-16933 [HIGH] CVE-2017-16933: etc/initsystem/prepare-dirs in Icinga 2 etc/initsystem/prepare-dirs in Icinga 2.x through 2.8.1 has a chown call for a filename in a user-writable directory, which allows local users to gain privileges by leveraging access to the $ICINGA2_USER account for creation of a link.