With this release the license of the project was updated to GPLv3 or later (#10700).

In this release we've added the OTLPMetricsWriter, a new perfdata writer targeting backends that support the OpenTelemetry protocol. We recommend users to replace other perfdata writers with this one if possible, especially ElasticsearchWriter, which is now deprecated and scheduled for removal in v2.18.

Another big improvement is the addition of streaming support to our HTTP handlers. Most handlers now use chunked encoding to reduce the amount of the generated JSON document that has to be kept in memory at any one time. Some endpoints, notably v1/objects/query, will also start to stream the response immediately, as the results are processed. This should solve most of the memory issues users were seeing when using the Icinga 2 API on large clusters.

We've also redone our Docker images with this version, with some changes to how the /data directory is mounted and initialized, so make sure you read the new documentation page for installing Icinga 2 in containers.

Below is a summary of the changes relevant for our users. For the complete list of issues and PRs, please see the milestone on GitHub.

Please also check our upgrading docs to see if your configuration requires any manual steps for this update.

Notes

Thanks to all contributors: brad0, cjsoftuk, Donien, Egor-OSSRevival, ETES-Stuttgart, freaknils, martialblog, Napsty, RincewindsHat, Tqnsls, w1ll-i-code, ymartin-ovh

Deprecations

Features newly deprecated in this version:

• ElasticsearchWriter (please use the new OTLPMetricsWriter instead)
• User declared namespace objects (i.e. namespace foo {})

We've scheduled these features for removal in v2.18 (#10734).

These features have already been deprecated and will also be removed in v2.18:

• IdoMySqlConnection
• IdoPgsqlConnection
• CompatLogger
• ExternalCommandListener
• LivestatusListener
• Windows check-plugins (i.e. check_*.exe) and CheckCommands (please use our PowerShell Plugins instead)

We will also no longer provide 32bit Windows MSIs via Chocolatey (#10757).

Enhancements

• OTLPMetricsWriter: A new perfdata writer for the OpenTelemetry protocol: #10685, #10789, and #10800
• HTTP API-handlers now stream results via chunked encoding where possible: #10554, #10692, #10516, and #10414
• Rework docker images build: #10505, #10666, and #10738
• Better debug log messages for dependencies with non-existing parents or children: #10737
• No longer require the unused queue parameter for v1/events: #10495
• Allow UID/GID values in ICINGA2_USER and ICINGA2_GROUP environment variables: #10538
• Add messages_received_per_type attribute to endpoints: #10387
• Better error messages on Redis® connection errors: #10727
• New node-setup command option --no-default-global-zones: #10028
• Warn on problematic object names: #10770
• New config option http_response_headers for ApiListener that allows to set arbitrary HTTP-headers that will be sent back with responses: #10563, #10664, and #10662

Bugfixes

• Fix a race condition in the v1/console handler: #10681 and #10675
• InfluxDBWriter: Print full HTTP error body when request fails: #10560
• Fix a crash when querying objects that are simultaneously deleted: #10698
• Fix a race condition leading to double notifications: #10628
• Improve BSD support: #10641, #10640, #10638, and #10635
• TimePeriod: Properly validate ranges field: #10633
• Fix recovery notifications outside time period being lost: #10613
• Prevent worst-case exponential complexity in dependency evaluation: #10523
• Fix double-free error in posix_error::what(): #10558
• Fix expiry times not applying correctly to Acknowledgements via ExternalCommandProcessor: #10486
• Fix dropped or stalled connections blocking Icinga 2 shutdown on all perfdata writers: #10668 and #10799
• Fix misleading TLS handshake error logging: #10798
• SELinux: Allow to query attrs of a filesystem: #10726

ITL

• Support for the check_smart plugin: #8041
• Add ssl_cert_long_output option to check_ssl_cert plugin: #10526
• Enhanced SMART attributes monitoring plugin check configuration with more parameters: #10564
• Add plain fping CheckCommand to ITL: #10494
• Remove clear variable from disk CheckCommand: #10531
• Add a check command for NETGEAR monitoring: #10753

Optimizations

• Several performance optimizations for the Redis® connection: #10391, #10732, and #10744
• IcingaDB: Better config and state update queueing: #10619
• Freeze registries after startup: #10388
• Small code and performance optimizations in Log class: #10504
• Improved efficiency of the CpuBoundWork implementation: #9990 and #10795

Miscellaneous

• Documentation Improvements: #10481, #10493, #10501, #10513, #10514, #10683, #10686, #10702, and #10745
• Code Quality Improvements: #9411, #10609, #9728, #9729, #9730, #10499, #10552, #10693, #10715, #10716, and #10756
• Unit-Test Improvements: #10350, #10528, #10561, #10749, #10550, #10767, and #10776

Windows

• OpenSSL shipped on Windows updated to 3.5.6: #10786
• Boost version shipped on Windows updated to 1.90: #10669

This is a small release containing a few bugfixes backported from the v2.16.0 release.

We will also no longer provide 32bit Windows MSIs via Chocolatey (#10761).

• Bump OpenSSL shipped for Windows to v3.0.20: #10793
• Fixed a race condition in the v1/console handler: #10755, and #10740
• Fix double-free error in posix_error::what(): #10742
• InfluxDBWriter: print full HTTP error body when request fails: #10739

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it includes two minor bug fixes regarding our SELinux policy and updates the OpenSSL version shipped on Windows.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.
• SELinux: Fix policy to allow logrotate to execute the icinga2 binary in order to send SIGUSR1 for log rotation. #10643
• SELinux: Fix policy to allow icinga2 to send SIGTERM to nagios plugins processes on timeout. #10694

Other Changes

• doc: Update Windows development docs to use Visual Studio 2022 instead of 2019. #10695
• Windows: Update to OpenSSL 3.0.19. #10706

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it updates the bundled OpenSSL library and includes changes to allow building with newer toolchains.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.

Other Changes

• Windows: Update to OpenSSL 3.0.19. #10705
• Bump Boost shipped for Windows to v1.87. #10651
• Allow building with CMake 4. #10624

This security release fixes a problem in the Icinga 2 Windows MSI that did not set proper permissions for %ProgramData%\icinga2\var. Additionally, it updates the bundled OpenSSL library and includes changes to allow building with newer toolchains.

Security

• CVE-2026-24413: Fix permissions of %ProgramData%\icinga2\var on Windows.

Other Changes

• Windows: Update to OpenSSL 3.0.19. #10704
• Allow building with CMake 4. #10625

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

In addition, this version also includes bug fixes regarding config deployments and improvements to allow for better debugging of problems related to JSON-RPC cluster communication.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

Security

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10590
• Windows: Update to OpenSSL 3.0.18. #10591

Bugfixes

• When a reload triggered from Icinga Director (or the /v1/config API) fails, the corresponding state is cleared, allowing to deploy a new config without having to restart Icinga 2 manually first. #10584

Enhancements

• Add JSON-RPC utilization metrics and troubleshooting docs. #10586
• When sending cluster messages to other zones, prefer endpoints in the order as specified in the zone configuration. #10587
• Track the number of JSON-RPC messages received for each message type per endpoint. #10585
• Add support for building with Boost v1.89 and use it on Windows. #10578

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10597
• Windows: Update to OpenSSL 3.0.18. #10595
• Windows: upgrade build toolchain to Visual Studio 2022. #10594

This release fixes multiple security issues. Two of them allow authenticated API users to learn restricted information or crash Icinga 2. A third issue affects the scripts provided with Icinga 2 and allows a limited privilege escalation where the Icinga 2 daemon user can trick root into sending signals to arbitrary processes.

Note that one fix affects the logrotate configuration. If it was modified locally, it might not be updated automatically by the package manager and applying the changes manually is necessary. For details, please check the upgrading docs.

• CVE-2025-61907: Prevent API users from accessing variables and objects they don't have access to within filter expressions. This allowed authenticated API users to learn information they aren't allowed to access directly. In this version this also applies to the TicketSalt variable which was previously accessible through the /v1/variables API in this version.
• CVE-2025-61908: Add a missing null pointer check while evaluating expressions. This allowed authenticated API users to crash the Icinga 2 daemon by supplying a crafted filter expression.
• CVE-2025-61909: Don't send signals as root in safe-reload script and logrotate config. This allowed a limited privilege escalation from the Icinga 2 service user to root. The scope is limited to sending SIGHUP or SIGUSR1 to an arbitrary process. #10601
• Windows: Update to OpenSSL 3.0.18. #10602
• Windows: upgrade build toolchain to Visual Studio 2022. #10598

This Icinga 2 release is focused on adding Icinga 2 dependencies support to Icinga DB, but also includes a number of bugfixes, enhancements and code quality improvements. Below is a summary of the most important changes, for the complete list of issues and PRs, please see the milestone on GitHub.

Notes

Thanks to all contributors: ChrLau, Josef-Friedrich, LordHepipud, OdyX, RincewindsHat, SebastianOpeni, SpeedD3, Tqnsls, botovq, cycloon, legioner0, legna-namor, macdems, mathiasaerts, mcodato, n-rodriguez, netphantm, nicolasberens, oldelvet, peteeckel, tbauriedel, w1ll-i-code, ymartin-ovh

Breaking Changes

• API: Fix /v1/objects/* queries with attrs set to [] to return empty attributes instead of all of them. #8169
• Drop the undocumented Checkable#process_check_result and broken System#track_parents DSL functions. #10457

Enhancements

• Gracefully disconnect all clients on shutdown and prevent from accepting new connections. #10460
• Icinga DB: Send data to Redis® exactly as they're stored in the database to avoid extra value-mapping routines by the Go daemon. #10452
• Add support for Icinga 2 dependencies in Icinga DB. #10290
• Take host/service reachability into account when computing its severity. #10399
• Rework the dependency cycle detection to efficiently handle large configs and provide better error messages. #10360
• Don't log next check timestamp in scientific notation. #10352
• Automatically remove child downtimes when removing parent downtime. #10345
• Ensure compatibility with Boost version up to v1.88. #10278 #10419
• Reject infinite performance data values. #10077
• Support host_template and service_template tags in ElasticsearchWriter. #10074
• Icinga DB: Support Redis® username authentication. #10102
• Cluster: Distribute host child objects (e.g. services, notifications, etc.) based on the host's name. #10161
• Icinga DB Check: Report an error if both Icinga DB instances are responsible in a HA setup. #10188
• Windows: upgrade build toolchain to Visual Studio 2022. #9747

Bugfixes

• Core
  • Use Checkable#check_timeout also for rescheduling remote checks. #10443
  • Log: Don't unnecessarily buffer log messages that are going to be dropped anyway. #10177
  • Don't loose perfdata counter (c) unit when normalizing performance data for Icinga DB. #10432
  • Fix broken SELinux policy on Fedora ≥ 41 due to the new /usr/sbin to /usr/bin equivalence. #10429
  • Don't load Notification objects before User and UserGroup objects to allow them to be referenced in notifications. #10427
  • Ensure consistent DST handling across different platforms. #10422
  • Fix Icinga 2 doesn't generate a core dump when it crashes with SIGABRT. #10416
  • Don't process concurrent checks for the same checkable. #10372
  • Don't process check results after the checker and API listener have been stopped. #10397
  • Avoid zombie processes on plugin execution timeout on busy systems. #10375
  • Properly restore the notification object state on Recovery notification. #10361
  • Fix incorrectly dropped acknowledgement and recovery notifications. #10211
  • Prevent checks from always being rescheduled outside the configured check_period. #10070
  • Don't send reminder notifications after a Custom notification while interval is set to 0. #7818
  • Reset all signal handlers of child processes to their defaults before starting a plugin. #8011
  • tests: Fix FormatDateTime test cases with invalid formats on macOS and all BSD-based systems. #10149
  • Mark move constructor and assignment operator in String as noexcept to allow optimizations. #10353 #10365
• Cluster and API
  • Fix an inverted condition in ApiListener#IsHACluster() that caused to always return true in a non-HA setup. #10417
  • Don't silently accept authenticated JSON-RPC connections with no valid endpoint. #10415
  • Sync Notification#notified_problem_users across the cluster to prevent lost recovery notifications. #10380
  • Remove superfluous ) from a HTTP request log message. #9966
  • Disable TLS renegotiation (handshake on existing connection) on OpenBSD as well. #9943
  • Log also the underlying error message when a HTTP request is closed with No data received by Icinga 2. #9928
  • Fix a deadlock triggered by concurrent /v1/actions/add-comment and /v1/actions/acknowledge-problem requests on the same checkable, as well as a crash that might occur when running perfectly timed /v1/actions/add-comment and /v1/actions/remove-comment requests targeting the same comment. #9924
• Icinga DB
  • Fix missing acknowledgement and flapping history entries due to a number overflow. #10467
  • Send downtime cancel_time only if it is cancelled. #10379
  • Send only the necessary data to the icinga:stats Redis® stream. #10359
  • Remove a spin lock in RedisConnection#Connect() to avoid busy waiting. #10265
• Writers
  • Serialize all required metrics before queueing them to a WorkQueue. #10420
  • OpenTsdbWriter: Include checkable name in log messages to ease troubleshooting. #10009
  • OpenTsdbWriter: Don't send custom empty tags. #7928
  • InfluxDBWriter: Add missing closing quote in validation error message. #10174

ITL

• Add --maintenance_mode_state ($vmware_maintenance_mode_state) argument to vmware-esx-command check command. #10435
• Add -n ($load_procs_to_show$) argument to load check command. #10426
• Add --inode-perfdata ($disk_np_inode_perfdata$) argument to disk check command. #10395
• Add -r ($ssh_remote_version$) and -P ($ssh_remote_protocol$) arguments to ssh check command. #10283
• Add --unplugged_nics_state ($vmware_unplugged_nics_state$) argument to vmware-esx-soap-host-net and vmware-esx-soap-host-net-nic check commands. #10261
• Add -X ($proc_exclude_process$) argument to procs check command. #10232
• Add --dane ($ssl_cert_dane$) argument to ssl_cert check command. #10196
• Fix check_ssl_cert deprecation warnings. #9758
• Fix check_systemd executable name add add all missing arguments. #10035
• Add -M ($snmp_multiplier$ & $snmpv3_multiplier$) argument to snmp and snmpv3 check commands. #9975
• Add --continue-after-certificate ($http_certificate_continue$) argument to http check command. #9974
• Add --ignore-maximum-validity ($ssl_cert_ignore_maximum_validity$) argument to ssl_cert check command. #10396
• Add --maximum-validity ($ssl_cert_maximum_validity$) argument to ssl_cert check command. #9881
• Add --url ($ssl_cert_http_url$) argument to ssl_cert check command. #9759
• Add fuse.sshfs and fuse.* (supported only by Monitoring Plugins) to the list of default disk exclude types. #9749
• Add check_curl check command. #9205
• Add the --extra-opts argument to various commands that support it. #8010

Documentation

• Don't use dnf config-manager to configure Fedora repository and mention icingadb-redis-selinux package. #10479
• Update the outdated cold startup duration documentation to reflect the current behavior. #10446
• Indent second-level unordered lists with four spaces to correctly render them in the HTML documentation. #10441
• Add a reference to the check result state documentation from within the Advanced Topics section. #10421
• Improve the documentation of how to generate Icinga 2 core dumps. #10418
• Update Icinga 2 CLI output examples to match t...

This security release fixes a critical issue in the certificate renewal logic in Icinga 2, which might incorrectly renew an invalid certificate. However, only nodes with access to the Icinga CA private key running with OpenSSL older than version 1.1.0 (released in 2016) are vulnerable. So this typically affects Icinga 2 masters running on operating systems like RHEL 7 and Amazon Linux 2.

For details, please check the release announcement and the GitHub security advisory

• CVE-2025-48057: Prevent invalid certificates from being renewed with OpenSSL older than v1.1.0.
• Fix use-after-free in VerifyCertificate(): Additionally, a use-after-free was found in the same
  function which is fixed as well, but in case it is triggered, typically only a wrong error code
  may be shown in a log message.
• Windows: Update OpenSSL shipped on Windows to v3.0.16.
• Fix a failing test case on systems time_t is only 32 bits #10344.