CVE-2026-24414 — MEDIUM (5.5)

Q: How severe is CVE-2026-24414?

CVE-2026-24414 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-24414?

Check the references section above for vendor advisories and patch information. Affected products include: Icinga Icinga Powershell Framework.

Vulnerability Description

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` (and `C:\ProgramData\icinga2\var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Icinga	Icinga Powershell Framework	< 1.11.2

Related Weaknesses (CWE)

CWE-276

References

https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-8Vendor Advisory
https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmrNot Applicable
https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-fThird Party Advisory

FAQ

What is CVE-2026-24414?

CVE-2026-24414 is a vulnerability with a CVSS score of 5.5 (MEDIUM). The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permission...

How severe is CVE-2026-24414?

CVE-2026-24414 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-24414?

Check the references section above for vendor advisories and patch information. Affected products include: Icinga Icinga Powershell Framework.