{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T08:09:17.517","vulnerabilities":[{"cve":{"id":"CVE-2026-24413","sourceIdentifier":"security-advisories@github.com","published":"2026-01-29T18:16:15.450","lastModified":"2026-02-19T20:56:00.010","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\\icinga2\\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\\ProgramData\\icinga2\\var` (and `C:\\Program Files\\WindowsPowerShell\\modules\\icinga-powershell-framework\\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access."},{"lang":"es","value":"Icinga 2 es un sistema de monitoreo de código abierto. A partir de la versión 2.3.0 y antes de las versiones 2.13.14, 2.14.8 y 2.15.2, el MSI de Icinga 2 no configuraba los permisos adecuados para la carpeta '%ProgramData%\\icinga2\\var' en Windows. Esto resultaba en que su contenido - incluyendo la clave privada del usuario y la configuración sincronizada - fuera legible por todos los usuarios locales. Todas las instalaciones en Windows están afectadas. Las versiones 2.13.14, 2.14.8 y 2.15.2 contienen una solución. Existen dos posibilidades para solucionar el problema sin actualizar Icinga 2. Actualice Icinga para Windows a al menos la versión v1.13.4, v1.12.4 o v1.11.2. Estas versiones corregirán automáticamente las ACL para el agente de Icinga 2 también. Alternativamente, actualice manualmente la ACL para la carpeta dada 'C:\\ProgramData\\icinga2\\var' (y 'C:\\Program Files\\WindowsPowerShell\\modules\\icinga-powershell-framework\\certificate' para solucionar el problema también para Icinga para Windows) incluyendo cada subcarpeta y elemento para restringir el acceso a los usuarios generales, permitiendo el acceso solo al usuario de servicio de Icinga y a los administradores."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":5.5,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":1.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-276"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*","versionStartIncluding":"2.3.0","versionEndExcluding":"2.13.14","matchCriteriaId":"EF4A8D01-2AF4-42AB-BD24-FFFBA30B2BE9"},{"vulnerable":true,"criteria":"cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*","versionStartIncluding":"2.14.0","versionEndExcluding":"2.14.8","matchCriteriaId":"EF121DB1-2B90-40BB-ACC2-A4E15D48DA80"},{"vulnerable":true,"criteria":"cpe:2.3:a:icinga:icinga:*:*:*:*:*:*:*:*","versionStartIncluding":"2.15.0","versionEndExcluding":"2.15.2","matchCriteriaId":"0C5F1C29-FC79-492C-A2A9-1DA4E65268F6"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973","source":"security-advisories@github.com","tags":["Not Applicable"]},{"url":"https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2","source":"security-advisories@github.com","tags":["Patch","Press/Media Coverage"]}]}}]}