CVE-2026-23919 in Zabbix
Summary
by MITRE • 03/24/2026
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
This vulnerability exists within the Zabbix monitoring platform where the server and proxy components reuse JavaScript contexts for performance optimization purposes. The implementation utilizes the Duktape JavaScript engine to execute script items, JavaScript reprocessing, and webhooks. When multiple operations share the same JavaScript context, the state persists across different execution sessions, creating an unintended information disclosure channel. This design choice, while beneficial for performance, introduces a security risk where regular user privileges can be exploited to access data they should not normally have access to.
The technical flaw stems from the persistence of JavaScript execution contexts and global variable state between different script executions. When a regular Zabbix administrator executes a script, any global variables or objects created during that execution remain accessible to subsequent scripts within the same context. This creates a scenario where malicious or improperly designed scripts can read data from previous script executions, effectively allowing privilege escalation through information leakage. The vulnerability specifically affects the JavaScript object model within Zabbix's preprocessing engine, where objects that should be isolated between different host accesses remain accessible across different operations.
The operational impact of this vulnerability is significant for organizations relying on Zabbix for infrastructure monitoring, as it allows unauthorized data access that could compromise system security. A regular administrator could potentially access sensitive host information, configuration details, or performance metrics from systems they do not have explicit permissions to view. This affects the principle of least privilege and can lead to exposure of critical infrastructure data. The risk is particularly concerning in multi-tenant environments or organizations with strict access controls where different teams should not have visibility into each other's systems.
The vulnerability has been addressed through a fix that makes built-in Zabbix JavaScript objects read-only, preventing modification of critical system objects. However, the recommended mitigation goes beyond this immediate patch by advising against the use of global JavaScript variables entirely. This aligns with security best practices outlined in CWE-242, which addresses the use of dangerous functions and unsafe global variable usage in programming contexts. Organizations should implement configuration changes to disable global variable usage in preprocessing scripts and adopt defensive programming practices. The Zabbix documentation specifically recommends against using global variables as they create persistent state that can be exploited for information leakage. This vulnerability demonstrates the security implications of performance optimizations and the importance of maintaining proper isolation boundaries in multi-user systems. The fix represents a compromise between performance requirements and security considerations, emphasizing the need for careful design decisions in security-critical systems where resource sharing can introduce unexpected attack vectors.