CVE-2026-14852: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Checkmk GmbH Checkmk
CVE-2026-14852 is a privilege escalation vulnerability in Checkmk that affects certain versions prior to patched releases. A local unprivileged user can exploit the mk_sap_hana agent plugin by crafting a process that mimics a SAP HANA instance, causing the plugin to execute arbitrary commands as root. This occurs because the plugin derives instance identifiers from the process list without explicit database configuration and uses them to build commands run with elevated privileges. The vulnerability requires the plugin to run as root with RUNAS=agent. The CVSS score is 5.2, indicating medium severity.
AI Analysis
Technical Summary
Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) contain an OS command injection vulnerability (CWE-78) in the mk_sap_hana agent plugin. The plugin, when running as root with RUNAS=agent, derives SAP HANA instance identifiers from the process list if no explicit database configuration is provided. An unprivileged local user can start a process crafted to appear as a SAP HANA instance, causing the plugin to execute arbitrary commands with root privileges. This leads to privilege escalation on the affected systems.
Potential Impact
An unprivileged local user can escalate privileges to root by exploiting the mk_sap_hana agent plugin's improper handling of process-derived instance identifiers. This allows arbitrary command execution with elevated privileges, potentially compromising the entire system. The vulnerability requires local access and the plugin running as root with RUNAS=agent. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the mk_sap_hana agent plugin as root with RUNAS=agent or explicitly configure the database to prevent the plugin from deriving instance identifiers from the process list. Monitor vendor communications for patches or updates addressing this vulnerability.
CVE-2026-14852: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Checkmk GmbH Checkmk
Description
CVE-2026-14852 is a privilege escalation vulnerability in Checkmk that affects certain versions prior to patched releases. A local unprivileged user can exploit the mk_sap_hana agent plugin by crafting a process that mimics a SAP HANA instance, causing the plugin to execute arbitrary commands as root. This occurs because the plugin derives instance identifiers from the process list without explicit database configuration and uses them to build commands run with elevated privileges. The vulnerability requires the plugin to run as root with RUNAS=agent. The CVSS score is 5.2, indicating medium severity.
CVSS v4.0
Score 5.2medium
Affected software
pkg:github/checkmk/checkmkRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Checkmk versions 2.5.0 before 2.5.0p9, 2.4.0 before 2.4.0p34, 2.3.0 before 2.3.0p49, and 2.2.0 (EOL) contain an OS command injection vulnerability (CWE-78) in the mk_sap_hana agent plugin. The plugin, when running as root with RUNAS=agent, derives SAP HANA instance identifiers from the process list if no explicit database configuration is provided. An unprivileged local user can start a process crafted to appear as a SAP HANA instance, causing the plugin to execute arbitrary commands with root privileges. This leads to privilege escalation on the affected systems.
Potential Impact
An unprivileged local user can escalate privileges to root by exploiting the mk_sap_hana agent plugin's improper handling of process-derived instance identifiers. This allows arbitrary command execution with elevated privileges, potentially compromising the entire system. The vulnerability requires local access and the plugin running as root with RUNAS=agent. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid running the mk_sap_hana agent plugin as root with RUNAS=agent or explicitly configure the database to prevent the plugin from deriving instance identifiers from the process list. Monitor vendor communications for patches or updates addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Checkmk
- Date Reserved
- 2026-07-06T11:50:44.392Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a56095968715ace4346dd87
Added to database: 07/14/2026, 10:03:05 UTC
Last enriched: 07/14/2026, 10:18:08 UTC
Last updated: 07/14/2026, 10:50:05 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.