CVE-2026-24413

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24413
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24413.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24413
Downstream
Related
  • GHSA-88h5-rrm6-5973
  • GHSA-vfjg-6fpv-4mmr
Published
2026-01-29T17:21:01.438Z
Modified
2026-01-30T02:34:52.964407Z
Severity
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Icinga has insecure permission of %ProgramData%\icinga2\var on Windows
Details

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the %ProgramData%\icinga2\var folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder C:\ProgramData\icinga2\var (and C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24413.json",
    "cwe_ids": [
        "CWE-276"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/icinga/icinga2

Affected ranges

Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
6176d3bc8c14a1f5ce3ab73fb45619e57e09e8c7
Fixed
7dc161c5a6a0b92df1b6c22c67c7f388996b582c
Database specific 
{
    "versions": [
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.13.14"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
0d5802937ba274fd3b9e13a48c4638cc104ad577
Fixed
735505b52206c40b4691aab0f3b6637be6fb7e46
Database specific 
{
    "versions": [
        {
            "introduced": "2.14.0"
        },
        {
            "fixed": "2.14.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga2
Events
Introduced
f87948081fc2386fc7a30eb12ab01cb907dbe3fb
Fixed
0389154435354cf5cbaa7c0d1435a21d01dda879
Database specific 
{
    "versions": [
        {
            "introduced": "2.15.0"
        },
        {
            "fixed": "2.15.2"
        }
    ]
}

Affected versions

v2.*
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.11.0
v2.11.0-rc1
v2.12.0
v2.12.0-rc1
v2.13.0
v2.13.1
v2.13.10
v2.13.11
v2.13.12
v2.13.13
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.13.6
v2.13.7
v2.13.8
v2.13.9
v2.14.0
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.14.7
v2.15.0
v2.15.1
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.4.0
v2.4.1
v2.4.10
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.9.0
v2.9.1
v2.9.2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24413.json"