PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14852 Checkmk GmbH CVE debrief

CVE-2026-14852 is a privilege escalation vulnerability in Checkmk. A local unprivileged user can execute arbitrary commands as root by starting a process crafted to look like a SAP HANA instance. This vulnerability affects Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL). Users of these versions should apply patches to prevent local privilege escalation.

Vendor
Checkmk GmbH
Product
Checkmk
CVSS
MEDIUM 5.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) should apply patches to prevent local privilege escalation. Additionally, security teams and operators managing Checkmk deployments should review their environments for potential exposure.

Technical summary

The mk_sap_hana agent plugin derives instance identifiers from the process list and uses them to build a command executed with elevated privileges. This requires the plugin to run as root with RUNAS=agent. Without an explicit database configuration, a local unprivileged user can execute arbitrary commands as root by starting a process crafted to look like a SAP HANA instance. The vulnerability is due to the plugin's behavior of deriving instance identifiers from the process list.

Defensive priority

Apply patches immediately to prevent local privilege escalation.

Recommended defensive actions

  • Apply patches for Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL)
  • Restrict access to the mk_sap_hana agent plugin
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-14T10:16:31.117Z and has not been modified since then. The NVD entry is currently being reviewed. Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) are potentially affected. Users should verify their deployments and apply patches as necessary.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T10:16:31.117Z and has not been modified since then.