Toady, we are releasing multiple new versions of Icinga 2 and Icinga for Windows, all of them fixing a file permission issue present in all installations on Windows.
Impact
The following paths were created without setting proper permissions, allowing all local users to read their contents:
C:\ProgramData\icinga2\varcreated and used by Icinga 2. It contains the endpoint certificate and corresponding private key, synced configuration, and persisted state information. This was assigned CVE-2026-24413.C:\Program Files\WindowsPowerShell\modules\icinga-powershell-framework\certificatecreated and used by Icinga for Windows. It contains a certificate bundle including a private key. This was assigned CVE-2026-24414.
In case your Windows installation uses non-standard paths, these folders may exist at different locations.
Patches
The following fixed versions were released:
The permissions of an existing Icinga 2 agent installation managed by Icinga for Windows will automatically be fixed by these new versions of Icinga for Windows without needing to update the Icinga 2 agent itself.
Additional Changes in Icinga 2
All three new releases of Icinga 2 also update the bundled OpenSSL version to 3.0.19, though based on our assessment, none of the fixed vulnerabilities there affects Icinga. Icinga 2 v2.15.2 additionally includes some small bug fixes to the SELinux policy. For details, please check the release notes for the individual version linked above.
Workarounds
The issue can be mitigated without updating by manually updating the ACLs of the folders mentioned in the Impact section. Make sure to including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access.
