How is CVE-2026-7186 exploited?

Network reachability (required): The attacker must reach the Checkmk web interface over the network to plant the payload and the victim must load the dashboard from a network-accessible instance. Authentication (required): A low-privilege account with dashboard editing permissions is sufficient to store the malicious URL; no administrative access is needed. Victim interaction (required): A separate authenticated user must open the compromised dashboard in their browser for the injected script to execute, making this a social-engineering or opportunistic attack on active Checkmk users. Attack complexity (info): Attack complexity is low; no race conditions or special environmental conditions are required, and the exploit is reliable once the payload is stored.

What is the impact of CVE-2026-7186?

Reads session tokens, cookies, and any data visible in the victim user's Checkmk browser context, which may include host and service monitoring data. Performs actions in Checkmk on behalf of the victim user, including modifying dashboards, acknowledging alerts, or changing configuration objects the victim has permission to edit. Exfiltrates credentials or API keys if the victim user's browser has them cached or auto-filled within the Checkmk interface. Degrades monitoring visibility for the victim user's session by manipulating displayed dashboard content.

Back to search

HIGHCVE-2026-7186Published 2026-06-08Modified 2026-06-08CNA Checkmk

CVE-2026-7186: Fix stored XSS in URL dashboard widget via dangerous URI schemes

Q: What is CVE-2026-7186?

Stored cross-site scripting (XSS) in the URL dashboard widget of Checkmk allows a user with dashboard editing permissions to embed a malicious URI scheme (such as javascript:) into a widget URL. The attack is delivered over the network and requires a low-privilege account to plant the payload, but a separate user must subsequently view the affected dashboard for the script to execute. Successful exploitation gives the attacker full control over the victim user's browser session within Checkmk, including the ability to read and modify data accessible to that user. Patched-image rebuilds at versions 2.3.0p48, 2.4.0p31, and 2.5.0p5 are available on HarborGuard for affected environments.

Q: How is CVE-2026-7186 fixed?

A patched-image rebuild at the applicable fix version (2.3.0p48, 2.4.0p31, or 2.5.0p5) becomes available on HarborGuard as soon as the upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Stored cross-site scripting in the URL dashboard widget in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows a user with dashboard editing permissions to store a URL with a dangerous URI scheme such as javascript: that executes scripts in other users' browsers when they view the dashboard.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 2.3.0p48
Affected Products: 1

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in the URL dashboard widget of Checkmk allows a user with dashboard editing permissions to embed a malicious URI scheme (such as javascript:) into a widget URL. The attack is delivered over the network and requires a low-privilege account to plant the payload, but a separate user must subsequently view the affected dashboard for the script to execute. Successful exploitation gives the attacker full control over the victim user's browser session within Checkmk, including the ability to read and modify data accessible to that user. Patched-image rebuilds at versions 2.3.0p48, 2.4.0p31, and 2.5.0p5 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-7186 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built Checkmk images. Any image running an affected Checkmk version (below 2.3.0p48, below 2.4.0p31, below 2.5.0p5, or any 2.2.0 release) is flagged automatically.

Available

Triage

Triage capability is available with a CVSS v4.0 score of 8.5 (HIGH), surfaced alongside per-environment compliance policy weighting so teams with stricter SLAs see the finding prioritized accordingly. Routing rules within each customer org direct the alert to the appropriate inbox based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the applicable fix version (2.3.0p48, 2.4.0p31, or 2.5.0p5) becomes available on HarborGuard as soon as the upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Checkmk web interface over the network to plant the payload and the victim must load the dashboard from a network-accessible instance.
AuthenticationRequired
A low-privilege account with dashboard editing permissions is sufficient to store the malicious URL; no administrative access is needed.
Victim interactionRequired
A separate authenticated user must open the compromised dashboard in their browser for the injected script to execute, making this a social-engineering or opportunistic attack on active Checkmk users.
Attack complexityDetail
Attack complexity is low; no race conditions or special environmental conditions are required, and the exploit is reliable once the payload is stored.

Blast Radius

Reads session tokens, cookies, and any data visible in the victim user's Checkmk browser context, which may include host and service monitoring data.
Performs actions in Checkmk on behalf of the victim user, including modifying dashboards, acknowledging alerts, or changing configuration objects the victim has permission to edit.
Exfiltrates credentials or API keys if the victim user's browser has them cached or auto-filled within the Checkmk interface.
Degrades monitoring visibility for the victim user's session by manipulating displayed dashboard content.

How HarborGuard Handles This

Available on HarborGuard: images running affected Checkmk versions are matched against this CVE within minutes of publication. For environments where a fix version is applicable, a rebuilt image at 2.3.0p48, 2.4.0p31, or 2.5.0p5 is made available as soon as the upstream release is confirmed. Where compliance policy permits auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For teams that manage patching manually, the finding is routed through the configured policy inbox with the full CVSS v4.0 context attached. Because this vulnerability requires a low-privilege authenticated user to plant the payload, network-layer isolation of the Checkmk web interface to trusted internal segments is a practical compensating control while patch deployment is in progress.

See how HarborGuard automates this

Fix available

2.3.0p482.4.0p312.5.0p5

Affected packages

Checkmk GmbH / Checkmk
< 2.5.0p5 (from 2.5.0) · < 2.4.0p31 (from 2.4.0) · < 2.3.0p48 (from 2.3.0) · 2.2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

References

checkmk.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available