CVE-2026-23925

Unauthorized host creation via configuration.import API by low-privilege user with write permissions

Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

INFO

Published Date :

2026-03-06T08:24:15.428Z

Last Modified :

2026-03-06T08:24:15.428Z

Source :

Zabbix

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23925 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23925.

URL	Resource
https://support.zabbix.com/browse/ZBX-27567

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability