CVE-2025-27236 in Zabbix
Summary
by MITRE • 10/03/2025
A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
This vulnerability exists within the Zabbix monitoring platform where a regular user can exploit the API to enumerate user information within their assigned user group. The flaw stems from insufficient access control validation during API search operations, specifically when users attempt to retrieve data about other users through selective field queries. The vulnerability allows unauthorized information disclosure by enabling users to discover field values that should be restricted based on their permission levels. This represents a critical access control weakness that undermines the principle of least privilege and can lead to information leakage. The issue manifests when the system fails to properly validate whether the requesting user has authorization to view specific fields of other users, even within the same group context. This behavior violates standard security practices and creates opportunities for malicious actors to gather sensitive user data through systematic enumeration techniques. The vulnerability impacts the confidentiality aspect of the CIA triad and can enable further attacks by providing attackers with additional information about user accounts and their associated permissions. According to CWE classification, this vulnerability maps to CWE-284 Access Control, specifically addressing insufficient access control mechanisms within API interfaces. The flaw aligns with ATT&CK technique T1213 Data from Information Repositories, as it enables unauthorized access to user information stored within the system's repository. The vulnerability allows for data mining operations that can reveal user credentials, roles, and other sensitive attributes through API calls that should be restricted. This weakness is particularly concerning in environments where Zabbix serves as a central monitoring solution for critical infrastructure, as it can expose information that could be leveraged for privilege escalation or targeted attacks. The implementation of proper field-level access controls within API responses would prevent this vulnerability. Organizations should ensure that API queries respect the principle of least privilege and that field-level permissions are enforced regardless of the user group membership. The vulnerability can be exploited by any regular user within a user group, making it particularly dangerous as it requires minimal privileges to perform information gathering activities. This represents a design flaw in the API access control implementation that needs immediate remediation to prevent unauthorized data exposure. The impact extends beyond simple information disclosure, as the gathered data could enable attackers to understand user roles, identify high-privilege accounts, and plan more sophisticated attacks against the monitored systems. The vulnerability demonstrates a failure in the system's authorization model where user group membership does not properly translate to field-level access restrictions. Security teams should implement comprehensive API access control reviews and ensure that all field-level permissions are properly enforced during search operations. The issue highlights the importance of validating access controls at multiple levels within application interfaces and reinforces the need for regular security testing of API endpoints to identify similar access control weaknesses. Organizations using Zabbix should treat this vulnerability as a high-priority issue requiring immediate patching or workaround implementation to prevent potential information disclosure attacks.