TL;DR
Icinga patched three Icinga 2 vulnerabilities on 29 June 2026. Two let an unauthenticated attacker take over or crash the monitoring server. The third affects authenticated API users only. CVE numbers are still pending. No exploitation in the wild has been confirmed.
Why It Matters
Icinga 2 monitors large networks across many sites. So a compromised instance exposes broad infrastructure detail. The worst flaw grants full node takeover without any login. Therefore, any Icinga 2 host reachable on the network faces real risk. Many teams place Icinga at the heart of their operations. So a takeover can ripple across connected systems. These Icinga 2 vulnerabilities demand a fast response.
How the Attacks Work
Certificate takeover (CVSS 9.8)
The JSON-RPC handler for certificate updates skipped sender validation. So an unauthenticated attacker could rewrite the node’s own certificate. Worse, the attacker could also replace the trusted CA certificate. That change lets them impersonate a trusted node and seize control. Icinga tracks this flaw as GHSA-vj39-ww8j-vvx5.
Stack overflow (CVSS 8.6)
An attacker can send deeply nested JSON to trigger a stack overflow. Unauthenticated clients reach this code too. The overflow then crashes the Icinga 2 process. No one has demonstrated code execution yet, but the team cannot rule it out.
DSL injection (CVSS 7.2)
The /v1/objects API wrote template names into config files without sanitizing them. So an API user with create rights could inject configuration and escalate privileges. Two researchers reported this issue independently.
Affected Versions
The flaws affect every Icinga 2 release before the fixes. Icinga shipped patches in v2.16.2, v2.15.4, and v2.14.9. The two unauthenticated flaws carry the highest urgency.
Patch and Mitigation
Upgrade to a fixed Icinga 2 build right away. You can read the full details in the official Icinga security release notes. Until you patch, limit network access to TCP port 5665. Also strip objects/create permissions from untrusted API users. The release additionally fixes a memory leak and updates the bundled OpenSSL library. Together, these steps cut the exposure fast.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.