Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-61907

Icinga 2 is an open source monitoring system. In Icinga 2 versions 2.4 through 2.15.0, filter expressions provided to the various /v1/objects endpoints could access variables or objects that would otherwise be inaccessible for the user. This allows authenticated API users to learn information that should be hidden from them, including global variables not permitted by the variables permission and objects not permitted by the corresponding objects/query permissions. The vulnerability is fixed in versions 2.15.1, 2.14.7, and 2.13.13.

Published

2025-10-16T18:15:37.820

Last Modified

2025-11-26T15:04:24.263

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
CWE-204
CWE-749

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	icinga	icinga	< 2.13.13	Yes
Application	icinga	icinga	< 2.14.7	Yes
Application	icinga	icinga	2.15.0	Yes

References

https://github.com/Icinga/icinga2/commit/56255ac7a689b9e198742d2fca6f7459a54c85a3 Patch ([email protected])
https://github.com/Icinga/icinga2/security/advisories/GHSA-gg32-w9rm-vp2v Patch, Vendor Advisory ([email protected])