CVE-2026-23919Exposure of Data Element to Wrong Session in Zabbix

CWE-488Exposure of Data Element to Wrong Session7 documents6 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 93.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zabbix
Timeline
PublishedMar 24
Latest updateApr 6

Description

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L

Affected Packages2 packages

Debianzabbix/zabbix< 1:7.0.22+dfsg-1~deb13u1+1
CVEListV5zabbix/zabbix6.0.06.0.40+3

🔴Vulnerability Details

4
OSV
CVE-2026-23919: (For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape2026-04-06
CVEList
Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server2026-03-24
OSV
CVE-2026-23919: For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks)2026-03-24
GHSA
GHSA-h55g-ww3m-9hq9: For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks)2026-03-24

📋Vendor Advisories

1
Debian
CVE-2026-23919: zabbix - For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23919 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23919 — Zabbix vulnerability | cvebase