How is CVE-2026-8833 exploited?

Network reachability (required): The attacker must reach the Checkmk web interface over the network to submit a crafted URL payload. Authentication (required): A low-privilege account is sufficient; the attacker must be authenticated to access the URL input function where the injection occurs. Victim interaction (required): A second user must click or otherwise interact with the attacker-crafted link for the injected script to execute in their browser. Attack complexity (info): Exploitation is reliable and condition-free once the crafted link is delivered; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-8833?

Reads the victim user's active session tokens, cookies, and any data visible in their Checkmk browser context. Modifies Checkmk configuration or monitoring data on behalf of the victim, using their session privileges. Crashes or disrupts the victim's Checkmk interface session, preventing access to monitoring dashboards and alerts. Writes limited data to systems in Checkmk's secondary scope (SI:L), such as modifying non-critical cross-site resources reachable through the victim's session.

Back to search

HIGHCVE-2026-8833Published 2026-06-08Modified 2026-06-08CNA Checkmk

CVE-2026-8833: XSS in urls

Q: What is CVE-2026-8833?

Cross-site scripting (XSS) in Checkmk's URL validation function allows an authenticated attacker to inject malicious URLs, such as javascript: URIs, by bypassing HTML-encoded character checks. The vulnerability is reachable over the network and requires a low-privilege account to craft the payload; a second user must then interact with the crafted link for the script to execute. Successful exploitation gives the attacker full read and write access to the victim's session context, and can disrupt the victim's access to the Checkmk interface. Patched-image rebuilds at versions 2.3.0p48, 2.4.0p31, and 2.5.0p5 are available on HarborGuard for affected environments.

Q: How is CVE-2026-8833 fixed?

A patched-image rebuild at the earliest applicable fix version (2.3.0p48, 2.4.0p31, or 2.5.0p5 depending on the customer's tracked release line) becomes available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Improper neutralization of HTML-encoded characters in the URL validation function in Checkmk <2.5.0p5, <2.4.0p31, <2.3.0p48, and all 2.2.0 versions allows an authenticated user to bypass URL validation and inject malicious URLs such as javascript: URIs, resulting in cross-site scripting when another user interacts with the crafted link.

CVSS v4.0: 8.5
Severity: HIGH
Fixed in: 2.3.0p48
Affected Products: 1

HarborGuard Analysis

Synopsis

Cross-site scripting (XSS) in Checkmk's URL validation function allows an authenticated attacker to inject malicious URLs, such as javascript: URIs, by bypassing HTML-encoded character checks. The vulnerability is reachable over the network and requires a low-privilege account to craft the payload; a second user must then interact with the crafted link for the script to execute. Successful exploitation gives the attacker full read and write access to the victim's session context, and can disrupt the victim's access to the Checkmk interface. Patched-image rebuilds at versions 2.3.0p48, 2.4.0p31, and 2.5.0p5 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-8833 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built Checkmk images. Any image running an affected Checkmk version (below 2.3.0p48, 2.4.0p31, or 2.5.0p5, or any 2.2.0 release) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.5 (High) using the v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to reflect local risk tolerance. Triage alerts are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

A patched-image rebuild at the earliest applicable fix version (2.3.0p48, 2.4.0p31, or 2.5.0p5 depending on the customer's tracked release line) becomes available on HarborGuard once upstream packages are published. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Checkmk web interface over the network to submit a crafted URL payload.
AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated to access the URL input function where the injection occurs.
Victim interactionRequired
A second user must click or otherwise interact with the attacker-crafted link for the injected script to execute in their browser.
Attack complexityDetail
Exploitation is reliable and condition-free once the crafted link is delivered; no race conditions or special environmental factors are required.

Blast Radius

Reads the victim user's active session tokens, cookies, and any data visible in their Checkmk browser context.
Modifies Checkmk configuration or monitoring data on behalf of the victim, using their session privileges.
Crashes or disrupts the victim's Checkmk interface session, preventing access to monitoring dashboards and alerts.
Writes limited data to systems in Checkmk's secondary scope (SI:L), such as modifying non-critical cross-site resources reachable through the victim's session.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-8833 is active across all connected environments, with image matching beginning within minutes of the advisory publication. Where auto-remediation is enabled, HarborGuard can rebuild affected images at the appropriate fix version (2.3.0p48, 2.4.0p31, or 2.5.0p5), run a regression test pass, and open a patch PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where compliance policy restricts auto-remediation, HarborGuard surfaces the finding with CVSS scoring and fix-version guidance so teams can prioritize the manual upgrade. As a compensating control while a patched image is being prepared, consider restricting access to the Checkmk web interface via network policy to limit the pool of authenticated users who can submit crafted URLs.

See how HarborGuard automates this

Fix available

2.3.0p482.4.0p312.5.0p5

Affected packages

Checkmk GmbH / Checkmk
< 2.5.0p5 (from 2.5.0) · < 2.4.0p31 (from 2.4.0) · < 2.3.0p48 (from 2.3.0) · 2.2.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N

References

checkmk.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available