There is a feature in Zabbix that allows to execute a global script using a particular host as target through frontend.
Such global scripts have a setting which permit only a certain user group to execute them. Currently, these permissions are checked on the frontend side, but anyone with access to Zabbix trapper port can execute any of the configured scripts.
This is deemed to be an artifact of node-based monitoring, where it was possible to execute a script on a different node, but user session was only present on the user's node. With nodes removed, this restriction no longer applies. Therefore, permissions should be checked on the server side based on user's session.