Description
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.
Published: 2026-03-24
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

A low‑privileged Zabbix user with API access can influence the sortfield parameter in the API to inject arbitrary, read‑only SQL statements. The injected SELECT commands do not return results directly, but an attacker can still extract database information by measuring timing responses or other side‑channels. This capability could lead to disclosure of session identifiers or even compromise of administrator accounts.

Affected Systems

The vulnerability exists in Zabbix’s API component located in include/classes/api/CApiService.php. Versions affected are not explicitly enumerated in the advisory, so any deployment exposing the Zabbix API to users with API rights may be susceptible.

Risk and Exploitability

With a CVSS base score of 8.7, this issue is rated as high risk. The EPSS score is not available, and it is not listed in the CISA KEV catalog, though that is not a mitigation. An attacker only needs low‑privilege API access; the exploit requires normal network connectivity to the Zabbix server. Although direct data retrieval is not possible in the response, time‑based inference allows exfiltration, making the attack practical. The potential impact includes data confidentiality loss and possible administrative privilege escalation.

Generated by OpenCVE AI on March 24, 2026 at 20:26 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

OpenCVE Recommended Actions

  • Apply the vendor patch that updates Zabbix API components to the fixed version.
  • Restrict API permissions so that only trusted users have access to the sortfield parameter.
  • Monitor API logs for unusual timing patterns or repeated queries that may indicate exploitation.

Generated by OpenCVE AI on March 24, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.
Title Blind, read-only SQL injection in Zabbix API via sortfield parameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Zabbix Zabbix
cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-03-26T03:55:36.177Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23921

cve-icon Vulnrichment

Updated: 2026-03-25T19:24:29.258Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T19:16:50.563

Modified: 2026-03-25T15:41:58.280

Link: CVE-2026-23921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:49:21Z

Weaknesses