We are shipping a new batch of Icinga Web ecosystem releases today. Icinga Web 2.14 is the headline, bringing the baseline for two-factor authentication support, configurable password policies, a configurable Content Security Policy, and a round of developer tooling improvements that have been in the works for a while. Icinga Certificate Monitoring 1.4, Icinga Reporting 1.1, and Icinga PDF Export 0.13 join it with PHP 8.5 support across the board and a set of focused improvements for each module.
A common thread through all of these releases is the raising the IPL PHP Libraray to version 1.0.0. This has been a significant undertaking given how many moving parts are involved, and it is now complete across the core modules.
We also want to use this post to flag a security fix that shipped for older Icinga Web branches, so read on even if you are not upgrading to 2.14 right away.
Security Releases for Icinga Web 2.12.7 and 2.13.1
We are releasing Icinga Web 2.12.7 and 2.13.1 to close a low-risk open redirect vulnerability, tracked as GHSA-w7c2-xjv9-q8fv (CVE pending). We have requested CVE number for this GHSA and will add it here once it has been assigned. It is rated low severity, but if you are running 2.13.0 or earlier you should still treat it as a priority update.
Impact: An attacker can craft a URL that, once opened by an authenticated user, or by someone who is merely able to authenticate, lets them manipulate the backend into redirecting that user to an arbitrary location of the attacker’s choosing. In practice this is the classic phishing setup, a link that looks like it points at your Icinga Web instance but quietly hands the victim off somewhere else once they log in.
The attack has one prerequisite. The victim’s locale in Icinga Web must be set to anything other than en_US. If your installation runs entirely on the default English locale, you were not affected, but we would still recommend updating, since locale is a per-user setting and you cannot rely on every account staying on en_US indefinitely.
All versions up to and including 2.13.0 are affected. If you are staying on 2.12.x or 2.13.x for now, please update to 2.12.7 or 2.13.1 as soon as you reasonably can. No workaround exists short of upgrading.
Thanks to Alemmi for finding and responsibly reporting this issue.
Icinga Web 2.14.0
Icinga Web 2.14 ships four meaningful improvements. Two-factor authentication is now a proper extension point where modules can register methods, users enroll through their account settings, and a token challenge page sits between password login and session creation. HTTP Basic auth is blocked for enrolled users since the token step has no path to completion over that protocol.
Password policies can now be enforced for database-backed accounts. Two built-in policies cover the range from no validation at all to a baseline requiring 12 characters with mixed case, a digit, and a special character, and third-party modules can add their own policies through a new hook.
The Content Security Policy header moved from a hardcoded string to a dynamically assembled one, built from system directives, module contributions, and dashlet entries, with an admin opt-out for full manual control and a new settings page that shows the effective policy alongside a basic security analysis.
Lastly, the LESS compilation has been moved into IPL web library. This eliminates a large chunk of duplicated code and the compiler now delegates to a single, maintained library rather than carrying its own parallel implementation.
Icinga Certificate Monitoring 1.4.0
Icinga Certificate Monitoring 1.4 is a solid feature release on top of the standard PHP 8.5.
The job table now shows the CIDRs and ports alongside other job details, giving you a clearer picture of what a scan covers at a glance. The schedule form has been improved too: instead of checkboxes for scan type, there is now a radio switcher that makes the selection more obvious.
A new command line flag lets you import a CA certificate bundle as trusted certificates in a single step, without needing a separate import command. You can also now grant access to the x509 configuration section via a dedicated permission, making it easier to delegate module configuration without granting full administrator access.
For Icinga Director users, a new example basket is included with a port scanning service configuration, giving you a ready-made starting point for integrating certificate monitoring into your existing Icinga Director setup.
Icinga Reporting 1.1.0
Icinga Reporting 1.1 fixes a subtle but frustrating bug: modifying a report’s configuration had no effect on its scheduled runs, because the schedule’s checksum did not include the report’s own configuration. Scheduled reports now detect configuration changes and re-render correctly.
The module’s CLI commands now run with raised memory and execution limits, matching what the web interface already allows. This prevents out-of-memory failures when generating large reports from the command line.
PDF generation has been switched back to synchronous mode. The asynchronous approach introduced an event loop conflict with the PDF export module, causing hangs in some setups. Synchronous export is more reliable and the performance difference is not significant for typical report workloads.
The schedule configuration widget has also been updated to use the standard scheduling element, and the module now requires IPL PHP Library to be raised to version 1.0.0.
Icinga PDF Export 0.13.0
Icinga PDF Export 0.13 fixes a hang that occurred when using a locally installed Chromium. Chrome’s process pipes were not being closed before termination, which kept the event loop alive indefinitely after PDF generation finished. That is now resolved.
The module switches to Icinga’s own fork of the PDF merge library, which had become unmaintained upstream and lacked PHP 8.2 compatibility. The WebSocket library has also been updated to the latest version.
PHP 8.5 is supported, the minimum PHP version is 8.2, and the module now requires IPL PHP Library to be raised to version 1.0.0.
Upgrading
Icinga Web and all four modules in this release raise their minimum PHP requirement to 8.2 and raise to Icinga PHP Library version 1.0.0 and a compatible Icinga PHP Thirdparty. This version of the library includes react/promise v3, which has breaking changes compared to v2. If you maintain a custom module that uses promises, review the react/promise v3 migration guide before upgrading.
The license has been updated to GPL-3.0-only across Icinga Web and all modules in this release.
For Icinga Web itself, the upgrade path is straightforward and does not require any additional migration steps. For the modules, verify that your environment meets the PHP 8.2 minimum before proceeding.
If you are staying on Icinga Web 2.12.x or 2.13.x, make sure you are running at least 2.12.7 or 2.13.1, since those releases include the open redirect fix described above.
Packages and Support
Packages are available through the Icinga package repository. If you run into issues or have questions about the upgrade, the Icinga Community Forums are the best place to reach the team and other users.






