CVE-2024-36467

Published: Nov 27, 2024Modified: Oct 8, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.

Affected (4)

Products: Zabbix: Zabbix

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Zabbix Zabbix	From 5.0.0 to 5.0.43
Zabbix Zabbix	From 6.0.0 to 6.0.33
Zabbix Zabbix	From 6.4.0 to 6.4.18
Zabbix Zabbix	From 7.0.0 to 7.0.2

Related CWEs

Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (1)

https://support.zabbix.com/browse/ZBX-25614

Source: security@zabbix.com

Vendor Advisory

Timeline

No history available yet.