CVE-2026-23925
Last modified
CVE-2026-23925 is a medium-severity vulnerability rated 5.1/10 on the CVSS scale. An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. EPSS estimates a 0.26% chance of exploitation in the next 30 days.
Description
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zabbix | Zabbix | >= 6.0.0, < 6.0.41 |
| Zabbix | Zabbix | >= 7.0.0, < 7.0.18 |
| Zabbix | Zabbix | >= 7.4.0, < 7.4.2 |
References
- https://support.zabbix.com/browse/ZBX-27567Issue Tracking, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-23925?
How severe is CVE-2026-23925?
How do I fix CVE-2026-23925?
Are you affected by CVE-2026-23925?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST