CVE-2025-27236 | THREATINT

Description

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

PUBLISHED Reserved 2025-02-20 | Published 2025-10-03 | Updated 2025-10-03 | Assigner Zabbix

LOW: 2.1CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863: Incorrect Authorization

Product status

Default status

unknown

6.0.38

affected

7.0.9

affected

7.2.3

affected

7.4.0 before 7.4.1

affected

Credits

Zabbix wants to thank yannapostrophe and exod for submitting this report on the HackerOne bug bounty platform. reporter

References

support.zabbix.com/browse/ZBX-27060

cve.org (CVE-2025-27236)

nvd.nist.gov (CVE-2025-27236)

Download JSON