CVE-2026-31836

HIGH

Mass Assignment Privilege Escalation in Checkmate

Title source: cna

Description

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to superadmin, bypassing all role-based access controls. An attacker can modify their user role to gain complete administrative access to the application, including the ability to view all users, modify critical configurations, and access sensitive system data. At time of publication, there are no publicly available patches.

References (1)

[X_Refsource_Confirm] https://github.com/bluewave-labs/Checkmate/security/advisories/GHSA-6368-x7wr-wpm2

Scores

CVSS v3 8.1

EPSS 0.0004

EPSS Percentile 11.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-269 CWE-285

Status published

Products (2)

bluewave-labs/Checkmate <= 3.5.1

bluewavelabs/checkmate < 3.5.1

Published Mar 20, 2026

Tracked Since Mar 20, 2026