CVE-2026-23925 | THREATINT

Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

PUBLISHED Reserved 2026-01-19 | Published 2026-03-06 | Updated 2026-03-06 | Assigner Zabbix

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L

Problem types

CWE-863: Incorrect Authorization

Product status

Default status

unknown

6.0.0 (git)

affected

7.0.0 (git)

affected

7.4.0 (git)

affected

References

support.zabbix.com/browse/ZBX-27567

cve.org (CVE-2026-23925)

nvd.nist.gov (CVE-2026-23925)

Download JSON