CVE-2026-24413

EUVD-2026-4959
Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
icingaicinga
2.3.0 ≤
𝑥
< 2.13.14
icingaicinga
2.14.0 ≤
𝑥
< 2.14.8
icingaicinga
2.15.0 ≤
𝑥
< 2.15.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
icinga2
bookworm
2.13.6-2+deb12u2
fixed
bullseye
2.12.3-1
fixed
bullseye (security)
2.12.3-1+deb11u1
fixed
forky
2.15.2-1
fixed
sid
2.15.2-1
fixed
trixie
2.14.6-1
fixed
Common Weakness Enumeration
References
https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973
https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2