CVE-2026-23925 — Incorrect Authorization in Zabbix

CWE-863 — Incorrect Authorization CWE-266 — Incorrect Privilege Assignment7 documents7 sources

Severity

5.1MEDIUMNVD

EPSS

0.0%

top 97.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zabbix

Timeline

PublishedMar 6

Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L

Affected Packages2 packages

▶Debianzabbix/zabbix< 1:7.0.22+dfsg-1~deb13u1+1

▶CVEListV5zabbix/zabbix6.0.0 — 6.0.40+2

🔴Vulnerability Details

OSV

CVE-2026-23925: An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration↗2026-03-06

▶

GHSA

GHSA-cv64-6j2c-f8cg: An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration↗2026-03-06

▶

CVEList

Unauthorized host creation via configuration.import API by low-privilege user with write permissions↗2026-03-06

▶

📋Vendor Advisories

Red Hat

zabbix: Zabbix: Confidentiality loss via improper access control in configuration.import API↗2026-03-06

▶

Debian

CVE-2026-23925: zabbix - An authenticated Zabbix user (User role) with template/host write permissions is...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23925 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶