Checkmate is an open-source, self-hosted monitoring tool that tracks server hardware, uptime, response times, and incidents with real-time visualizations. In versions before 3.4.0, the GET /api/v1/status-page/:url API endpoint suffers from an unauthenticated information disclosure vulnerability (CWE-200). This endpoint fails to enforce authentication or check whether a status page is published before returning its full details. Consequently, attackers can send crafted API requests to retrieve unpublished status pages and their associated internal data without any credentials or user interaction. The exposed information could include sensitive operational details about monitored infrastructure. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and has a CVSS 3.1 base score of 5.3, reflecting medium severity. The attack vector is network-based with low complexity and no privileges or user interaction required. The vulnerability does not affect data integrity or availability, only confidentiality. The issue was publicly disclosed and patched in Checkmate version 3.4.0. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is unauthorized disclosure of sensitive internal monitoring data, which could include server status, uptime metrics, incident reports, and other operational details. Such exposure can aid attackers in reconnaissance, allowing them to identify potential targets, understand infrastructure weaknesses, or plan further attacks. While the vulnerability does not allow modification or disruption of services, the loss of confidentiality can undermine organizational security posture and privacy. Organizations relying on Checkmate for critical infrastructure monitoring may face increased risk of targeted attacks if this information is leaked. The impact is heightened in environments where status pages contain sensitive or proprietary operational data. Since exploitation requires no authentication or user interaction, the vulnerability can be exploited remotely and easily by any attacker aware of the API endpoint. However, the lack of known active exploits suggests limited current exploitation. Prompt patching is essential to mitigate potential future risks.

Organizations using bluewave-labs Checkmate versions prior to 3.4.0 should upgrade immediately to version 3.4.0 or later, where this vulnerability is patched. Until upgrading, administrators should restrict network access to the Checkmate API endpoints, especially the /api/v1/status-page/:url endpoint, using firewall rules or network segmentation to limit exposure to trusted users only. Implementing authentication and authorization controls at the network or application proxy level can help prevent unauthorized API access. Review and minimize the amount of sensitive information displayed on status pages, particularly unpublished ones, to reduce potential data exposure. Regularly audit API access logs for suspicious or unauthorized requests targeting status pages. Additionally, consider deploying web application firewalls (WAFs) with rules to detect and block unauthenticated access attempts to sensitive API endpoints. Maintain an up-to-date inventory of Checkmate deployments and monitor vendor advisories for future security updates.