CVE-2026-23925 in Zabbix
Summary
by MITRE • 03/06/2026
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2026
This vulnerability resides within the Zabbix monitoring platform and represents a significant privilege escalation issue that undermines the intended access control mechanisms. The flaw allows an authenticated user with template and host write permissions to exploit the configuration.import API endpoint to create unauthorized host objects, effectively bypassing the normal security controls that should prevent such actions. The vulnerability specifically affects users operating under the standard User role, which typically lacks the necessary privileges to create or modify templates and hosts directly. However, through careful manipulation of the import functionality, these users can circumvent the role-based access controls that normally protect the system's core configuration objects.
The technical implementation of this vulnerability leverages the configuration.import API's design which accepts external data inputs for object creation without sufficient validation of the requesting user's authorization level. When a user with write permissions to templates and hosts invokes this API endpoint, the system fails to properly verify whether the user possesses the elevated privileges required to actually create new host objects. This represents a classic case of insufficient authorization checking within the application's API layer, where the system assumes that write permissions to certain categories of objects automatically grants the right to create new instances of those objects. The vulnerability stems from the API's failure to enforce proper access control checks during the import process, allowing users to inject host definitions that would normally be restricted to administrators or users with higher privilege levels.
The operational impact of this vulnerability extends beyond simple unauthorized host creation, potentially leading to significant confidentiality breaches within monitoring environments. An attacker with access to a user account possessing template/host write permissions could systematically create unauthorized hosts within the Zabbix infrastructure, potentially enabling them to monitor and collect data from systems they should not have access to. This capability allows for persistent backdoor creation within the monitoring ecosystem, as the unauthorized hosts would appear to be legitimate monitoring targets within the system. The vulnerability essentially allows for the construction of unauthorized surveillance capabilities within the Zabbix environment, potentially exposing sensitive infrastructure to unauthorized monitoring and data collection. This issue directly violates the principle of least privilege and can enable attackers to establish persistent access points within the monitored infrastructure.
Organizations should implement immediate mitigations including restricting access to the configuration.import API endpoint for users with standard privileges, implementing stricter access control policies that prevent template and host write permissions from automatically granting import capabilities, and conducting comprehensive audit reviews of existing hosts and templates to identify any unauthorized objects that may have been created. The vulnerability aligns with CWE-284 Access Control Issues, specifically addressing insufficient authorization checks within API endpoints, and could be categorized under ATT&CK technique T1078 Valid Accounts as it exploits legitimate user privileges to gain unauthorized system access. Security teams should also consider implementing network-level restrictions on the import API, requiring additional authentication factors for import operations, and establishing automated monitoring for unauthorized host creation events. Regular security assessments of API endpoints should be conducted to identify similar authorization bypass opportunities within the system's configuration management interfaces.