-
Type:
Defect (Security)
-
Resolution: Fixed
-
Priority:
Major
-
None
-
Affects Version/s: None
-
Component/s: API (A)
-
None
| CVE ID | CVE-2026-23925 |
| CVSS score | 5.1 (Medium) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L |
| Affected components | API |
| Summary | Unauthorized host creation via configuration.import API by low-privilege user with write permissions |
| Description | An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions. |
| Known attack vectors | Low-privilege user invoking configuration.import to perform unauthorized object creation. |
| Affected and fix version/s | Affected: 6.0.0 - 6.0.40 → Fixed: 6.0.41 Affected: 7.0.0 - 7.0.17 → Fixed: 7.0.18 Affected: 7.4.0 - 7.4.1 → Fixed: 7.4.2 |
| Mitigation | Update the affected components to their respective fixed versions. |
| Workarounds | Remove template and host write permissions for non-admin users. |