Description
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.
Published: 2026-03-06
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized host creation
Action: Apply Patch
AI Analysis

Impact

An authenticated Zabbix user with template/host write permissions can use the configuration.import API to create new objects. This allows the user to add unauthorized hosts to the system, leading to potential confidentiality loss. The vulnerability originates from insufficient validation of user permissions for the import operation. The issue reflects an authorization flaw (CWE-266) and privilege escalation via API import (CWE-863).

Affected Systems

The affected product is Zabbix from the Zabbix vendor. Version information is not provided in the advisory, so the issue may affect any Zabbix installation that has not applied the published patch.

Risk and Exploitability

The CVSS score of 5.1 indicates a medium severity level. The EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be network-based via the web API, requiring only authentication with sufficient write permissions. Successful exploitation would allow an attacker to create unauthorized hosts and potentially gain further access to the monitored infrastructure.

Generated by OpenCVE AI on April 17, 2026 at 12:21 UTC.

Remediation

Vendor Solution

Update the affected components to their respective fixed versions.

Vendor Workaround

Remove template and host write permissions for non-admin users.

OpenCVE Recommended Actions

  • Upgrade Zabbix to a version where the vulnerability is fixed
  • Remove template and host write permissions for non-admin users
  • Monitor API calls and maintain audit logs for configuration.import activity

Generated by OpenCVE AI on April 17, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zabbix
Zabbix zabbix
Vendors & Products Zabbix
Zabbix zabbix

Fri, 06 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-266
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

threat_severity

Moderate

Fri, 06 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
Description An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.
Title Unauthorized host creation via configuration.import API by low-privilege user with write permissions
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L'}

Subscriptions

Zabbix Zabbix
cve-icon MITRE

Status: PUBLISHED

Assigner: Zabbix

Published:

Updated: 2026-03-09T20:54:45.380Z

Reserved: 2026-01-19T14:02:54.327Z

Link: CVE-2026-23925

cve-icon Vulnrichment

Updated: 2026-03-09T20:54:42.228Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-06T09:15:56.100

Modified: 2026-03-09T13:35:34.633

Link: CVE-2026-23925

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-06T08:24:15Z

Links: CVE-2026-23925 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses