Description
Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.

The specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250.
Published: 2026-02-20
Score: 8.8 High
EPSS: 1.6% Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

A command‑injection flaw exists in the zabbixagent_configwizard_func method of Nagios XI. User supplied data is not validated before being passed to a system call, allowing an authenticated attacker to run arbitrary commands with the privileges of the Nagios service account. This directly compromises confidentiality, integrity and availability of the affected system.

Affected Systems

The vulnerability affects Nagios Host, specifically the Nagios XI 2026 release 1 family (for example version 2026r1-0-1). All installations of this product that include the zabbixagent_configwizard_func routine and do not apply a vendor patch are vulnerable.

Risk and Exploitability

With a CVSS score of 8.8 the flaw is measured as high severity; an exploitation probability of 2% indicates a realistic likelihood of being leveraged. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. An attacker must first authenticate to the application and then invoke the vulnerable function, based on the description it is inferred that the attacker might use the web interface or API to launch arbitrary code. Successful exploitation would give the attacker full control over the Nagios process environment.

Generated by OpenCVE AI on April 18, 2026 at 11:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest Nagios XI release that includes the vendor fix for the zabbixagent_configwizard_func vulnerability.
  • Ensure that only authorized users have access to the web interface or API endpoints that invoke the zabbixagent_configwizard_func routine, such as by tightening role‑based access controls.
  • Monitor the system for anomalous command execution or unexpected process activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 18, 2026 at 11:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Nagios nagios Xi
CPEs cpe:2.3:a:nagios:nagios_xi:2026:r1:*:*:*:*:*:*
Vendors & Products Nagios nagios Xi
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Nagios
Nagios host
Vendors & Products Nagios
Nagios host

Fri, 20 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250.
Title Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nagios Host Nagios Xi
cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-02-26T14:44:12.787Z

Reserved: 2026-02-06T01:14:27.066Z

Link: CVE-2026-2041

cve-icon Vulnrichment

Updated: 2026-02-24T15:10:48.286Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T23:16:04.190

Modified: 2026-02-24T13:18:09.610

Link: CVE-2026-2041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses