CVE-2026-24413 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2026-24413 Interim 1 1 2026-03-05T00:16:27Z current 2026-03-05T00:16:27Z 2026-03-05T00:16:27Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2026-24413 Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 SUSE Linux Enterprise Module for HPC 12 openSUSE Tumbleweed icinga2 icinga2-2.15.2-1.1 icinga2-bin icinga2-bin-2.15.2-1.1 icinga2-common icinga2-common-2.15.2-1.1 icinga2-doc icinga2-doc-2.15.2-1.1 icinga2-ido-mysql icinga2-ido-mysql-2.15.2-1.1 icinga2-ido-pgsql icinga2-ido-pgsql-2.15.2-1.1 icinga2-libs nano-icinga2-2.15.2-1.1 vim-icinga2 vim-icinga2-2.15.2-1.1 icinga2-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2-bin-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2-common-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2-doc-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2-ido-mysql-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2-ido-pgsql-2.15.2-1.1 as a component of openSUSE Tumbleweed nano-icinga2-2.15.2-1.1 as a component of openSUSE Tumbleweed vim-icinga2-2.15.2-1.1 as a component of openSUSE Tumbleweed icinga2 as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-bin as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-common as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-doc as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-ido-mysql as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-ido-pgsql as a component of SUSE Linux Enterprise Module for HPC 12 icinga2-libs as a component of SUSE Linux Enterprise Module for HPC 12 vim-icinga2 as a component of SUSE Linux Enterprise Module for HPC 12 Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\icinga2\var` folder on Windows. This resulted in the its contents - including the private key of the user and synced configuration - being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:\ProgramData\icinga2\var` (and `C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. CVE-2026-24413 openSUSE Tumbleweed:icinga2-2.15.2-1.1 openSUSE Tumbleweed:icinga2-bin-2.15.2-1.1 openSUSE Tumbleweed:icinga2-common-2.15.2-1.1 openSUSE Tumbleweed:icinga2-doc-2.15.2-1.1 openSUSE Tumbleweed:icinga2-ido-mysql-2.15.2-1.1 openSUSE Tumbleweed:icinga2-ido-pgsql-2.15.2-1.1 openSUSE Tumbleweed:nano-icinga2-2.15.2-1.1 openSUSE Tumbleweed:vim-icinga2-2.15.2-1.1 SUSE Linux Enterprise Module for HPC 12:icinga2 SUSE Linux Enterprise Module for HPC 12:icinga2-bin SUSE Linux Enterprise Module for HPC 12:icinga2-common SUSE Linux Enterprise Module for HPC 12:icinga2-doc SUSE Linux Enterprise Module for HPC 12:icinga2-ido-mysql SUSE Linux Enterprise Module for HPC 12:icinga2-ido-pgsql SUSE Linux Enterprise Module for HPC 12:icinga2-libs SUSE Linux Enterprise Module for HPC 12:vim-icinga2 moderate 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N