Nagios XI <2024R1.1.3 Authenticated Sensitive Info Disclosure (API Keys/PW Hashes)
CVE-2024-13998 Published on November 3, 2025
Nagios XI < 2024R1.1.3 API Keys & Hashed Passwords Authenticated Information Disclosure
Nagios XI versions prior to 2024R1.1.3, under certain circumstances, disclose sensitive user account information (including API keys and hashed passwords) to authenticated users who should not have access to that data. Exposure of API keys or password hashes could lead to account compromise, abuse of API privileges, or offline cracking attempts. CVE-2024-13995 addresses a similar vulnerability with a potentially incomplete fix for the underlying problem in earlier versions.
Weakness Type
Exposure of Sensitive System Information to an Unauthorized Control Sphere
The application does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the application does.
Products Associated with CVE-2024-13998
stack.watch emails you whenever new vulnerabilities are published in Nagios Xi or Nagios Xi. Just hit a watch button to start following.
Affected Versions
Nagios XI:- Before 2024R1.1.3 is unknown.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.