-
Type:
Defect (Security)
-
Resolution: Fixed
-
Priority:
Major
-
None
-
Affects Version/s: None
-
Component/s: API (A)
-
None
| CVE ID | CVE-2026-23921 |
| CVSS score | 8.7 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| Affected components | API |
| Summary | Blind, read-only SQL injection in Zabbix API via sortfield parameter |
| Description | A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise. |
| Known attack vectors | To exploit this vulnerability an attacker needs access to a Zabbix account with API access. |
| Affected and fix version/s | Affected: 7.0.0 - 7.0.21 → Fixed: 7.0.22 Affected: 7.2.0 - 7.2.14 → Fixed: 7.2.15 Affected: 7.4.0 - 7.4.5 → Fixed: 7.4.6 |
| Mitigation | Update the affected components to their respective fixed versions. |
| Workarounds | - |
| Acknowledgements | Zabbix wants to thank SeaWind for submitting this report on the HackerOne bug bounty platform. |