Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Unauthenticated Access to Internal Server Status Pages in Checkmate
CVE-2026-30829
Summary
An issue in older versions of Checkmate allows anyone to view internal server status pages and data without a password. This means that sensitive information about your server's performance and uptime might be visible to unauthorized users. Update to version 3.4.0 to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| bluewavelabs | checkmate | <= 3.4.0 | – |
Original title
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0...
Original description
Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. Prior to version 3.4.0, an unauthenticated information disclosure vulnerability exists in the GET /api/v1/status-page/:url endpoint. The endpoint does not enforce authentication or verify whether a status page is published before returning full status page details. As a result, unpublished status pages and their associated internal data are accessible to any unauthenticated user via direct API requests. This issue has been patched in version 3.4.0.
nvd CVSS3.1
5.3
Vulnerability type
CWE-200
Information Exposure
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026