Checkmate by bluewave-labs is an open-source, self-hosted monitoring tool for server hardware, uptime, response times, and incident tracking with real-time visualizations. Prior to version 3.4.0, it contains a CWE-200 vulnerability (CVE-2026-30829) in the GET /api/v1/status-page/:url API endpoint. This endpoint fails to enforce authentication and does not verify whether the requested status page is published before returning its full details. Consequently, any unauthenticated user can retrieve unpublished status pages, exposing internal monitoring data that may include sensitive operational metrics or incident details. The vulnerability is remotely exploitable over the network without any privileges or user interaction, increasing its risk profile. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates low attack complexity and no impact on integrity or availability, but confidentiality is compromised. The flaw was publicly disclosed on March 7, 2026, and patched in Checkmate 3.4.0. No active exploitation has been observed, but the exposure of internal status data could aid attackers in reconnaissance or targeted attacks against infrastructure monitored by Checkmate.

The primary impact is unauthorized disclosure of sensitive internal monitoring data, which could include server hardware status, uptime metrics, response times, and incident details. This information leakage can aid attackers in mapping infrastructure, identifying weaknesses, or timing attacks based on incident reports. Although the vulnerability does not affect system integrity or availability, the confidentiality breach can undermine operational security and trust. Organizations relying on Checkmate for critical infrastructure monitoring may face increased risk of targeted attacks or information leakage to competitors or malicious actors. The ease of exploitation and network accessibility mean that any exposed instance of vulnerable Checkmate software is at risk. This could be particularly damaging in sectors with stringent confidentiality requirements such as finance, healthcare, government, and critical infrastructure.

Organizations should immediately upgrade all Checkmate deployments to version 3.4.0 or later, where the vulnerability is patched. Until upgrading is possible, restrict network access to the Checkmate API endpoints, especially the /api/v1/status-page/:url endpoint, using firewalls or network segmentation to limit exposure to trusted users only. Implement additional authentication or API gateway controls to enforce access restrictions on unpublished status pages. Regularly audit and monitor API access logs for unusual or unauthorized requests targeting status page endpoints. Consider encrypting sensitive monitoring data at rest and in transit to reduce impact if exposed. Finally, review and minimize the amount of sensitive information included in status pages, especially unpublished ones, to limit potential leakage.