{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30829", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.606Z", "datePublished": "2026-03-07T05:46:00.460Z", "dateUpdated": "2026-03-10T17:58:13.860Z"}, "containers": {"cna": {"title": "Checkmate: Unauthenticated Access to Unpublished Status Page", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-57xf-wg6w-fjrr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-57xf-wg6w-fjrr"}], "affected": [{"vendor": "bluewave-labs", "product": "Checkmate", "versions": [{"version": "< 3.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:46:00.460Z"}, "descriptions": [{"lang": "en", "value": "Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0."}], "source": {"advisory": "GHSA-57xf-wg6w-fjrr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T17:45:54.298897Z", "id": "CVE-2026-30829", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:58:13.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30829", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T17:45:54.298897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T17:50:33.556Z"}}], "cna": {"title": "Checkmate: Unauthenticated Access to Unpublished Status Page", "source": {"advisory": "GHSA-57xf-wg6w-fjrr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "bluewave-labs", "product": "Checkmate", "versions": [{"status": "affected", "version": "< 3.4.0"}]}], "references": [{"url": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-57xf-wg6w-fjrr", "name": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-57xf-wg6w-fjrr", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T05:46:00.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30829", "state": "PUBLISHED", "dateUpdated": "2026-03-10T17:58:13.860Z", "dateReserved": "2026-03-05T21:06:44.606Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T05:46:00.460Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bluewavelabs:checkmate:*:*:*:*:*:*:*:*", "matchCriteriaId": "47231DDC-8E2F-4BBA-95DA-C270F8DE9F14", "versionEndExcluding": "3.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0."}, {"lang": "es", "value": "Checkmate es una herramienta de c\u00f3digo abierto y autoalojada dise\u00f1ada para rastrear y monitorear el hardware del servidor, el tiempo de actividad, los tiempos de respuesta y los incidentes en tiempo real con hermosas visualizaciones. Antes de la versi\u00f3n 3.4.0, existe una vulnerabilidad de revelaci\u00f3n de informaci\u00f3n no autenticada en el endpoint GET /api/v1/status-page/:url. El endpoint no aplica autenticaci\u00f3n ni verifica si una p\u00e1gina de estado est\u00e1 publicada antes de devolver los detalles completos de la p\u00e1gina de estado. Como resultado, las p\u00e1ginas de estado no publicadas y sus datos internos asociados son accesibles para cualquier usuario no autenticado a trav\u00e9s de solicitudes directas a la API. Este problema ha sido parcheado en la versi\u00f3n 3.4.0."}], "id": "CVE-2026-30829", "lastModified": "2026-03-11T18:56:04.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-07T06:16:10.957", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-57xf-wg6w-fjrr"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.4.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Checkmate", "source": "cna", "vendor": "bluewave-labs"}, "product": "checkmate", "vendor": "bluewave-labs"}], "analysis": {"en": {"generated_at": "2026-04-17T12:14:05.393070+00:00", "value": {"mitigation_remediation": ["Upgrade Checkmate to version 3.4.0 or newer to apply the official fix.", "If upgrading is delayed, restrict unauthenticated access to the /api/v1/status-page/:url endpoint using firewall rules or reverse\u2011proxy authentication, ensuring only trusted hosts can query it.", "Continuously monitor API logs for suspicious GET requests to the status\u2011page endpoint and investigate any unauthorized attempts."], "summary": {"action": "Immediate Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the open\u2011source Checkmate tool provided by bluewave\u2011labs. All installations running any version older than 3.4.0 are susceptible, as the fix was introduced in that release.", "description_and_impact": "An unauthenticated GET request to the /api/v1/status-page/:url endpoint exposes full status page information even if it has not been published. This lack of authentication and publication state verification represents a CWE-200 Information Exposure vulnerability. The endpoint omits authentication checks and does not verify publication state, allowing any user to retrieve internal hardware, uptime, response time, and incident details. This information disclosure can lead to compromised confidentiality of server infrastructure and operational insights.", "risk_and_exploitability": "The CVSS score of 5.3 reflects a moderate severity, while the EPSS score of less than 1% indicates a low probability of exploitation. The vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can simply issue an unauthenticated HTTP GET request to the vulnerable endpoint without needing special permissions, making the exploit straightforward."}}}}, "created": "2026-03-09T10:05:48.634400+00:00", "updated": "2026-04-17T12:15:18.176057+00:00", "vendors": ["bluewave-labs", "bluewave-labs$PRODUCT$checkmate"]}