ICINGA 2 has released patches addressing three critical vulnerabilities detected on June 29, 2026. Two of these allow unauthenticated attackers to take over or crash the monitoring server, while the third affects authenticated API users. The reported vulnerabilities include a certificate takeover (CVSS 9.8), where the JSON-RPC handler failed to validate senders, and a stack overflow (CVSS 8.6), which can crash the server through deeply nested JSON.
A DSL injection vulnerability (CVSS 7.2) allows API users to escalate privileges due to unsanitized input. All affected versions must be upgraded to patched releases (v2.16.2, v2.15.4, v2.14.9) to mitigate risks. Immediate actions are recommended to limit exposure until patches are applied.