CVE-2025-27236

Summary

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix6.0.38 <= 6.0.40affected
ZabbixZabbix7.0.9 <= 7.0.16affected
ZabbixZabbix7.2.3 <= 7.2.10affected
ZabbixZabbix7.4.0 < 7.4.1affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References