Description
An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Possible Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to cause the Zabbix Frontend process to instantiate arbitrary PHP classes by using the “validate” action. This flaw effectively allows code to be executed with the privileges of the web application. The extent of impact depends on the server configuration, but the ability to load arbitrary classes can lead to remote code execution, privileged escape or data exfiltration in some environments.

Affected Systems

All Zabbix installations that expose the frontend validate endpoint before the fix are affected. The specific product and version ranges are not listed in the advisory, so any Zabbix software released prior to the official patch could be vulnerable. Administrators should verify the presence of the validate action and consider disabling it if the software version is unknown.

Risk and Exploitability

The CVSS score of 6.9 places the vulnerability in the Medium severity range. EPSS data is not available, and it is not yet listed in the CISA KEV catalog. The flaw can be exploited without authentication by sending a request to the validate action. Because the attack vector is a network-accessible web endpoint, the risk is broad and the exploitation requirement is minimal.

Generated by OpenCVE AI on March 24, 2026 at 20:51 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

OpenCVE Recommended Actions

  • Update Zabbix components to the fixed versions released by the vendor.
  • If a patch is not immediately available, disable or restrict the Frontend “validate” action via web server configuration or firewall rules.
  • Apply network segmentation to limit who can reach the Zabbix web interface.
  • Monitor frontend logs for unexpected class instantiation attempts and set up alerts for suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Tue, 24 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description An unauthenticated attacker can exploit the Frontend 'validate' action to blindly instantiate arbitrary PHP classes. The impact depends on environment setup but appears limited at this time.
Title Unauthenticated arbitrary PHP class instantiation
Weaknesses CWE-470
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Zabbix Zabbix
cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-03-25T19:25:01.128Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23923

cve-icon Vulnrichment

Updated: 2026-03-25T19:24:58.974Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T19:16:50.740

Modified: 2026-03-25T15:41:58.280

Link: CVE-2026-23923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T21:27:45Z

Weaknesses