FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

icinga2 -- Improper access control for JSON-RPC update certificate messages

Affected packages
icinga2 < 2.16.2

Details

VuXML ID 5b7cb356-749c-11f1-8a71-50ebf6bdf8e9
Discovery 2026-06-29
Entry 2026-06-30

The Icinga team reports:

The code handling certificate update JSON-RPC messages was flawed and did not properly validate the sender of the message, allowing an unauthenticated attacker that can connect to Icinga 2 to update both the own certificate as well as the trusted CA certificate. Updating the trusted CA allows an attacker to impersonate a trusted node, allowing them to take control over the node.

Any Icinga 2 instance that is accessible to an attacker over the network is affected.

References

URL https://github.com/Icinga/icinga2/security/advisories/GHSA-vj39-ww8j-vvx5