CVE-2026-23925

Summary

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

Affected Software

VendorProductVersion RangeStatus
ZabbixZabbix6.0.0 <= 6.0.40affected
ZabbixZabbix7.0.0 <= 7.0.17affected
ZabbixZabbix7.4.0 <= 7.4.1affected

Weaknesses

  • CWE-863: CWE-863: Incorrect Authorization

Workarounds

Remove template and host write permissions for non-admin users.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References