CVE-2026-23925
HIGHZabbix - Authenticated Incorrect Authorization via configuration.import API
Title source: llmDescription
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.
References (1)
Core 1
Core References
Various Sources
https://support.zabbix.com/browse/ZBX-27567
Scores
CVSS v3
8.1
EPSS
0.0026
EPSS Percentile
16.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
zabbix/zabbix
6.0.0 - 6.0.41
Published
Mar 06, 2026
Tracked Since
Mar 06, 2026