Publication date: February 26th, 2026
Component: centreon-open-tickets
List of vulnerabilities: 2
Description: A path traversal vulnerability in the Open Tickets file upload allows an authenticated user to write or delete arbitrary files.
Reference: CVE-2026-2749
CVSS: 9.9
Severity: Critical
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Open Tickets on Central Server:
Breaking Change: The ability to define a custom command linked to a rule has been removed, due to low adoption and security concerns.
Reference: N/A
CVSS: 8.1
Severity: High
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Open Tickets on Central Server:
To ensure you do not lose any customization that might have been done to your OpenTicket provider, please make sure to create a backup of your configuration before performing update!
Component: centreon-web
List of vulnerabilities: 7
Description: Improper input validation leads to remote code execution on CLAPI.
Reference: CVE-2026-2750
CVSS: 9.1
Severity: Critical
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Blind SQL Injection via unsanitized array keys in Service Dependencies deletion.
Reference: CVE-2026-2751
CVSS: 8.1
Severity: High
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Fixed several security issues within the Contact / Users configuration page.
Reference: N/A
CVSS: 7.2
Severity: High
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Administrators are now the only ones able to edit autologin keys of other users.
Reference: N/A
CVSS: 7.2
Severity: High
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Fixed a vulnerability when adding a contact with CLAPI.
Reference: N/A
CVSS: 7.2
Severity: High
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Broken Object Level Authorization in Users Configuration Endpoint allows Information Disclosure to authenticated user.
Reference: CVE-2025-12523
CVSS: 6.5
Severity: Medium
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
Description: Broken Function Level Authorization allows execution of poller post-restart commands by authenticated user.
Reference: CVE-2025-13050
CVSS: 5.4
Severity: Medium
Status: Fixes have been provided for all supported versions and it is recommended to update Centreon Web on Central Server:
These versions include cumulative fixes from prior updates.
If you are using an High Availability Platform, please ensure to follow the Centreon HA Update procedures.
Stay ahead of potential threats by subscribing to the Security Bulletin section. You’ll receive instant notifications whenever a new bulletin is published, ensuring your infrastructure remains secure and up to date.