PatchSiren cyber security CVE debrief
CVE-2026-14852 Checkmk GmbH CVE debrief
CVE-2026-14852 is a privilege escalation vulnerability in Checkmk. A local unprivileged user can execute arbitrary commands as root by starting a process crafted to look like a SAP HANA instance. This vulnerability affects Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL). Users of these versions should apply patches to prevent local privilege escalation.
- Vendor
- Checkmk GmbH
- Product
- Checkmk
- CVSS
- MEDIUM 5.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) should apply patches to prevent local privilege escalation. Additionally, security teams and operators managing Checkmk deployments should review their environments for potential exposure.
Technical summary
The mk_sap_hana agent plugin derives instance identifiers from the process list and uses them to build a command executed with elevated privileges. This requires the plugin to run as root with RUNAS=agent. Without an explicit database configuration, a local unprivileged user can execute arbitrary commands as root by starting a process crafted to look like a SAP HANA instance. The vulnerability is due to the plugin's behavior of deriving instance identifiers from the process list.
Defensive priority
Apply patches immediately to prevent local privilege escalation.
Recommended defensive actions
- Apply patches for Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL)
- Restrict access to the mk_sap_hana agent plugin
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-14T10:16:31.117Z and has not been modified since then. The NVD entry is currently being reviewed. Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) are potentially affected. Users should verify their deployments and apply patches as necessary.
Official resources
-
CVE-2026-14852 CVE record
CVE.org
-
CVE-2026-14852 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T10:16:31.117Z and has not been modified since then.