CVE-2026-23921SQL Injection in Zabbix

CWE-89SQL Injection7 documents6 sources
Severity
8.7HIGHNVD
EPSS
0.0%
top 90.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Zabbix
Timeline
PublishedMar 24
Latest updateApr 6

Description

A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

Debianzabbix/zabbix< 1:7.0.22+dfsg-1~deb13u1+1
CVEListV5zabbix/zabbix7.0.07.0.21+2

🔴Vulnerability Details

4
OSV
CVE-2026-23921: (A low privilege Zabbix user with API access can exploit a blind SQL in2026-04-06
OSV
CVE-2026-23921: A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService2026-03-24
CVEList
Blind, read-only SQL injection in Zabbix API via sortfield parameter2026-03-24
GHSA
GHSA-j24v-fg24-6mqq: A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService2026-03-24

📋Vendor Advisories

1
Debian
CVE-2026-23921: zabbix - A low privilege Zabbix user with API access can exploit a blind SQL injection vu...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-23921 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-23921 — SQL Injection in Zabbix | cvebase