We are getting many security reports about things regular Zabbix users can do with API that they can't do via the UI. We know about this behaviour and have documented most of it, but I agree that it would be safer to simply disable API access for the default User role.

To me seems like needing API for regular users is a niche use case and it would be more secure to enable it manually. This also goes well with the UX change we are doing for 8.0 to increase security: ZBXNEXT-10334

Examples

What a regular user can do "out of the box":

• Get the content of scripts with script.get (which might include sensitive data)
• Send data to for hosts the user only has read-only access with history.push
• Change their Name and Last name with user.update (this is not possible from UI)
• Get all proxy configuration with proxy.get
• Get mediatype scripts with mediatype.get
• More, this list isn't exhaustive...

Proposal

Starting with Zabbix 8.0 disable API access to the regular User role by default.