CVE-2026-23921 in Zabbix
Summary
by MITRE • 03/24/2026
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-23921 represents a critical blind sql injection flaw within the zabbix monitoring platform that specifically targets the CApiService.php file located in the include/classes/api/ directory. This security weakness affects zabbix users who possess low privilege levels but have api access permissions, creating an exploitable attack vector that bypasses traditional authentication mechanisms. The vulnerability manifests through the sortfield parameter which processes user input without adequate sanitization or validation, allowing malicious actors to inject sql commands that execute within the database context. The flaw is classified as a blind sql injection because while the direct output of query results is not exposed to the attacker, the system's response timing can reveal information about the underlying database structure and contents.
The technical implementation of this vulnerability follows established patterns of sql injection attacks where user-controllable parameters are directly incorporated into sql queries without proper parameterization or input filtering. In this case, the sortfield parameter serves as the attack surface where malicious sql payloads can be constructed to manipulate database operations. The vulnerability leverages time-based sql injection techniques to extract data from the database, utilizing the database's response timing characteristics to infer information about the underlying data. Attackers can construct payloads that cause the database to delay responses when certain conditions are met, enabling them to extract information character by character through successive requests. This methodology aligns with common sql injection exploitation patterns documented in the attack technique framework and represents a sophisticated approach to data exfiltration in environments where direct query output is not available.
The operational impact of this vulnerability extends beyond simple data extraction to potentially compromise entire administrative accounts and session identifiers. When an attacker successfully exploits this vulnerability, they can obtain sensitive information including user credentials, session tokens, and potentially administrative access to the zabbix system. The ability to extract session identifiers through time-based techniques creates a pathway for session hijacking attacks, where authenticated sessions can be stolen and used by attackers to gain unauthorized access to the monitoring platform. This compromise can lead to complete control over the zabbix infrastructure, enabling attackers to modify monitoring configurations, disable alerts, or even access the underlying systems being monitored through the zabbix platform. The vulnerability particularly affects organizations that rely heavily on zabbix for system monitoring and security operations, as it provides a direct path to compromise critical infrastructure monitoring capabilities.
Organizations should implement immediate mitigations including updating to patched versions of zabbix that address this specific sql injection vulnerability, applying web application firewalls that can detect and block sql injection patterns, and implementing strict access controls to limit api access to only trusted users. The vulnerability demonstrates the importance of proper input validation and parameterized queries in preventing sql injection attacks, and aligns with common weakness enumerations such as cwe-89 and cwe-94 in the common weakness enumeration database. Security teams should also implement monitoring for unusual database response times and query patterns that may indicate sql injection attempts, while conducting regular security assessments of api endpoints to identify similar vulnerabilities. Additional defensive measures include enabling detailed logging of api access and query execution, implementing least privilege access controls, and conducting regular security training for administrators to recognize and respond to potential sql injection attacks. The attack pattern associated with this vulnerability corresponds to techniques documented in the attack tactic and technique framework, particularly those related to credential access and privilege escalation through exploitation of application vulnerabilities.