CVE-2025-61907: 
Icinga vulnerability analysis and mitigation

Icinga 2, an open source monitoring system, was found to contain a vulnerability (CVE-2025-61907) affecting versions 2.4 through 2.15.0. The vulnerability allows authenticated API users to access variables or objects that should be inaccessible through filter expressions provided to various /v1/objects endpoints. The issue was disclosed on October 16, 2025, and has been patched in versions 2.15.1, 2.14.7, and 2.13.13 (GitHub Advisory, NVD).

The vulnerability stems from insufficient access control in filter expressions provided to the /v1/objects API endpoints. The issue allows authenticated users to bypass intended access restrictions and access global variables not permitted by the variables permission, as well as objects not permitted by the corresponding objects/query permissions. The vulnerability has been assigned a CVSS v4.0 base score of 7.1 (High), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N (GitHub Advisory).

The vulnerability enables authenticated API users to access sensitive information that should be hidden from them, including global variables and objects beyond their permission scope. This can lead to unauthorized access to configuration data and monitoring information that should be restricted based on user permissions (GitHub Advisory).

The vulnerability has been fixed in Icinga 2 versions 2.15.1, 2.14.7, and 2.13.13. The patches implement proper access controls for filter expressions in API requests, restricting access to global variables based on user permissions and limiting the getobject() function to only return objects the user is authorized to see. Additionally, certain functions (getobjects(), gettemplate(), gettemplates(), getenv()) have been disabled in API filter expressions. As a temporary workaround, organizations can limit API access to trusted users only (GitHub Advisory).