← Back

CVE-2026-23925

nvd nist
Published: Mar 6, 2026Modified: Jun 5, 2026

JSON object

Loading...
5.1
Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security@zabbix.com (Secondary)

Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

Affected (3)

Products: Zabbix: Zabbix
Zabbix
1 product
Zabbix
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Zabbix
Zabbix
From 6.0.0 to 6.0.41
Zabbix
From 7.0.0 to 7.0.18
Zabbix
From 7.4.0 to 7.4.2

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (1)

Source: security@zabbix.com
Issue TrackingVendor AdvisoryMitigation

Timeline

No history available yet.