securityonline.info 7/3/2026, 2:42:33 AM · external

Icinga 2 Vulnerabilities Allow Unauthenticated Node Takeover

Icinga 2 Vulnerabilities Allow Unauthenticated Node Takeover
CyberSIXT Evidence Panel
Primary Source icinga.com

ICINGA 2 has released patches addressing three critical vulnerabilities detected on June 29, 2026. Two of these allow unauthenticated attackers to take over or crash the monitoring server, while the third affects authenticated API users. The reported vulnerabilities include a certificate takeover (CVSS 9.8), where the JSON-RPC handler failed to validate senders, and a stack overflow (CVSS 8.6), which can crash the server through deeply nested JSON.

A DSL injection vulnerability (CVSS 7.2) allows API users to escalate privileges due to unsanitized input. All affected versions must be upgraded to patched releases (v2.16.2, v2.15.4, v2.14.9) to mitigate risks. Immediate actions are recommended to limit exposure until patches are applied.

View Primary Source Via securityonline.info

Article by CyberSIXT