CVE-2026-24096

High

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24096 is a high-severity Improper Handling of Insufficient Permissions or Privileges (CWE-280) vulnerability in Checkmk Checkmk. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly mandates enforcement of approved authorizations on REST API endpoints to prevent low-privileged users from performing unauthorized actions or accessing sensitive information.

AC-24 Access Control Decisions good match

prevent

Requires the system to make and enforce explicit access control decisions for resources like Quick Setup API endpoints, addressing the lack of permission validation.

AC-6 Least Privilege partial match

prevent

Implements least privilege to restrict low-privileged users' capabilities, mitigating the impact of insufficient permission checks on affected endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Insufficient permission validation on REST API endpoints allows low-privileged authenticated users to perform unauthorized high-impact actions remotely, directly enabling exploitation for privilege escalation (T1068) and exploitation of a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information

Deeper analysisAI

CVE-2026-24096 is an insufficient permission validation vulnerability (CWE-280) in multiple REST API Quick Setup endpoints of Checkmk. It affects Checkmk 2.5.0 beta versions prior to 2.5.0b2 and Checkmk 2.4.0 versions prior to 2.4.0p25. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

Low-privileged users (PR:L) with network access can exploit the vulnerability remotely with low attack complexity and no user interaction. Exploitation enables these users to perform unauthorized actions or obtain sensitive information, leveraging the lack of proper permission checks on the affected endpoints.

The Checkmk advisory at https://checkmk.com/werk/18989 addresses the issue, with mitigation achieved by updating to Checkmk 2.5.0b2 or later in the 2.5.0 beta branch and 2.4.0p25 or later in the 2.4.0 branch.