CVE-2026-23920 in Zabbix
Summary
by MITRE • 03/24/2026
Host and event action script input is validated with a regex (set by the administrator), but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/29/2026
This vulnerability resides in the input validation mechanism of a system that processes host and event action scripts through administrator-defined regular expressions. The core issue emerges from the improper handling of multiline regex patterns where the validation logic operates in multiline mode. When administrators configure input validation rules using regex patterns containing the ^ and $ anchors, these anchors function differently in multiline mode compared to single-line mode. In multiline mode, ^ matches the beginning of each line and $ matches the end of each line, rather than the beginning and end of the entire string. This fundamental behavior creates a critical security gap that authenticated attackers can exploit by injecting newline characters into their input. The vulnerability allows malicious users to bypass the intended validation checks by inserting newline characters that effectively split their input across multiple lines, causing the regex anchors to match the beginning or end of individual lines rather than the complete input string. This technique enables attackers to inject shell commands that would normally be rejected by the validation logic, as the system processes the injected commands as separate lines that satisfy the multiline regex patterns. The impact of this vulnerability extends beyond simple input validation bypass, as it represents a command injection vulnerability that can be leveraged for arbitrary code execution on the affected system. According to the Common Weakness Enumeration framework, this corresponds to weakness type CWE-20, which describes improper input validation, and CWE-77, which addresses command injection through improper validation. The attack vector aligns with the MITRE ATT&CK framework's technique T1059.001 for command and scripting interpreter, specifically shell scripting. The vulnerability affects systems where administrators configure custom input validation rules for host and event actions, typically found in security information and event management systems, network monitoring tools, or automated response platforms. The authenticated nature of the exploit means that attackers must first gain legitimate user credentials, but once obtained, they can leverage this vulnerability to escalate their privileges and execute arbitrary commands with the privileges of the affected service. The exploitation requires minimal technical sophistication but demands understanding of regex multiline behavior and shell command injection techniques. Organizations should implement immediate mitigations including disabling multiline regex mode for input validation, removing or sanitizing the ^ and $ anchors from administrator-defined validation patterns, and implementing additional input sanitization layers. The vulnerability highlights the importance of understanding regex engine behavior in different modes and the critical need for comprehensive input validation that accounts for all possible escape sequences and injection vectors. Security teams should conduct thorough audits of all regex-based input validation mechanisms to identify similar patterns and implement more robust validation approaches that do not rely on potentially exploitable anchor behaviors.