CVE-2026-24414

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-24414
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24414.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-24414
Related
  • GHSA-88h5-rrm6-5973
  • GHSA-vfjg-6fpv-4mmr
Published
2026-01-29T17:35:43.323Z
Modified
2026-01-30T02:34:09.266056Z
Severity
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Icinga for Windows certificate can have too-open permissions
Details

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows certificate directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate (and C:\ProgramData\icinga2\var to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24414.json",
    "cwe_ids": [
        "CWE-276"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/icinga/icinga-powershell-framework

Affected ranges

Type
GIT
Repo
https://github.com/icinga/icinga-powershell-framework
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
964a92c13e9a6b8ecdde5744ccc30e20add1c89a
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.2"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga-powershell-framework
Events
Introduced
ce03447404e29d32729d37780d3cddcf169d059e
Fixed
4cd0acfdc2bf01c3638e4b537c0f07c471d24fcb
Database specific 
{
    "versions": [
        {
            "introduced": "1.12.0"
        },
        {
            "fixed": "1.12.4"
        }
    ]
}
Type
GIT
Repo
https://github.com/icinga/icinga-powershell-framework
Events
Introduced
9907cc8e8e4c4fe47208182500f257f8718a5938
Fixed
3886dc04217bcf4837b7f011710bd3882663f87b
Database specific 
{
    "versions": [
        {
            "introduced": "1.13.0"
        },
        {
            "fixed": "1.13.4"
        }
    ]
}

Affected versions

0.*
0.0.1
v1.*
v1.0.0
v1.0.0-rc2
v1.0.0-rc3
v1.1.0
v1.10.0
v1.11.0
v1.11.1
v1.12.0
v1.12.1
v1.12.2
v1.12.3
v1.13.0
v1.13.1
v1.13.2
v1.13.3
v1.2.0
v1.3.0
v1.3.1
v1.4.0
v1.4.1
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-24414.json"