CVE-2026-23924 in Agent 2 Docker Plugin
Summary
by MITRE • 03/24/2026
Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-23924 affects the Zabbix Agent 2 Docker plugin implementation, representing a critical security flaw that enables unauthorized file access within Docker container environments. This issue stems from insufficient input validation and sanitization within the agent's handling of docker.container_info parameters, creating a pathway for malicious actors to exploit the system through the Docker archive API interface.
The technical flaw manifests when the Zabbix Agent 2 processes container information requests and fails to properly sanitize user-supplied parameters before forwarding them to the underlying Docker daemon. This inadequate sanitization allows for path traversal attacks where an attacker can inject malicious file paths that bypass normal access controls. The vulnerability specifically impacts the Docker archive API functionality, which is designed to retrieve container file system contents for monitoring purposes but becomes exploitable when parameter validation is bypassed.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to read arbitrary files from running containers, potentially exposing sensitive data such as configuration files, credentials, application data, or system information. This access can lead to privilege escalation opportunities, lateral movement within containerized environments, and comprehensive system reconnaissance. The vulnerability is particularly dangerous in production environments where Zabbix agents are deployed with elevated privileges to monitor container health and performance.
From a cybersecurity perspective, this vulnerability aligns with CWE-22 Path Traversal and CWE-770 Allocation of Resources Without Limits or Throttling, representing a resource management flaw that can be exploited for unauthorized access. The attack pattern follows ATT&CK technique T1059 Command and Scripting Interpreter and T1071.004 Application Layer Protocol DNS, as attackers may leverage the compromised agent to access container filesystems and potentially escalate privileges through command execution. Organizations using containerized environments with Zabbix monitoring are particularly at risk, as this vulnerability can be exploited from within the network boundary by any user with access to invoke the Zabbix Agent 2 functionality.
Mitigation strategies should include immediate patching of the Zabbix Agent 2 Docker plugin to implement proper input sanitization and parameter validation. Organizations should also implement network segmentation to limit access to Zabbix agents, restrict the privileges of the agent processes, and employ monitoring solutions to detect anomalous file access patterns. Additionally, regular security assessments of containerized environments should be conducted to identify similar vulnerabilities in other monitoring tools and ensure proper access controls are in place to prevent unauthorized exploitation of such security flaws.