Nagios XI < 2024R1.4.2 API Key Disclosure via Neptune Themes

Advisories

severity: high
date: October 30, 2025
Affecting: XI < 2024R1.4.2
CVE: CVE-2025-34283
CWE: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
CVSS: 7.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Nagios XI Security Disclosures
Nagios XI Changelog
Description: Nagios XI versions prior to 2024R1.4.2 revealed API keys to users who were not authorized for API access when using Neptune themes. An authenticated user without API privileges could view another user's or their own API key value.