CVE-2026-31836
Published: 20 March 2026
Summary
CVE-2026-31836 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Bluewavelabs Checkmate. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent authenticated users from escalating privileges via mass assignment in the user profile update endpoint.
Validates information inputs at the profile update endpoint to block unauthorized parameters like role modifications in mass assignment attacks.
Employs least privilege to restrict privilege escalations, ensuring users cannot gain superadmin access beyond assigned roles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Mass assignment flaw in authenticated profile update endpoint is directly exploited to escalate from low-privileged user to superadmin, matching T1068 Exploitation for Privilege Escalation.
NVD Description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows…
more
any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-31836 is a mass assignment vulnerability in Checkmate's user profile update endpoint. Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with visualizations. The vulnerability affects versions 3.5.1 and prior, allowing improper handling of user input during profile updates.
Any authenticated user can exploit this vulnerability over the network with low complexity to escalate their privileges to superadmin, bypassing all role-based access controls. Successful exploitation grants complete administrative access to the application, enabling the attacker to view all users, modify critical configurations, and access sensitive system data. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWEs 269 (Improper Privilege Management) and 285 (Improper Authorization).
The GitHub security advisory at https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-6368-x7wr-wpm2 states that, at the time of publication on 2026-03-20, there are no publicly available patches.
Details
- CWE(s)