Description
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
Published: 2026-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality loss due to JavaScript data leakage
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from the reuse of JavaScript (Duktape) execution contexts in Zabbix Server and Proxy, allowing a non‑super administrator to craft or trigger scripts that read data from hosts they normally cannot access. This leads to the disclosure of sensitive configuration or credentials, impairing confidentiality. The weakness is identified as CWE‑488, reflecting improper isolation of execution contexts.

Affected Systems

All Zabbix Server and Proxy installations that employ the default Duktape context reuse are impacted. Any instance that has not applied the patch that enforces read‑only built‑in JavaScript objects remains vulnerable, regardless of major release.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is of medium to high severity, yet it is not listed in the CISA Known Exploited Vulnerabilities catalog and EPSS information is unavailable. The attack vector is local; an attacker can exploit the issue by creating or editing JavaScript preprocessing scripts, a capability granted to regular administrators. The resulting harm is confined to information disclosure, but can be significant if confidential data is exposed.

Generated by OpenCVE AI on March 24, 2026 at 19:20 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions. Make sure JavaScript item preprocessing scripts don't store secret data in global variables.

OpenCVE Recommended Actions

  • Update the Zabbix Server and Proxy components to the fixed versions that enforce read‑only built‑in JavaScript objects
  • Review existing JavaScript preprocessing scripts and remove any use of global variables that could store sensitive data
  • Verify that non‑super administrators can no longer access host data they are not authorized to view
  • Continuously monitor script changes to prevent accidental reintroduction of vulnerable code

Generated by OpenCVE AI on March 24, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Description For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
Title Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server
Weaknesses CWE-488
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L'}

Subscriptions

Zabbix Zabbix
cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-03-24T18:36:16.860Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23919

cve-icon Vulnrichment

Updated: 2026-03-24T18:36:13.549Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T19:16:49.290

Modified: 2026-03-25T15:41:58.280

Link: CVE-2026-23919

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:49:24Z

Weaknesses