CVE-2022-23131 CRITICAL

CVE-2022-23131: Unsafe client-side session storage leading to authentication bypass/instance takeover via Zabbix Frontend with configured SAML

Vendor Zabbix
Product Frontend
Weakness CWE-290
KEV Status Known Exploited
Published January 13, 2022
Last update October 21, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

In the case of instances where the SAML SSO authentication is enabled (non-default), session data can be modified by a malicious actor, because a user login stored in the session was not verified. Malicious unauthenticated actor may exploit this issue to escalate privileges and gain admin access to Zabbix Frontend. To perform the attack, SAML authentication is required to be enabled and the actor has to know the username of Zabbix user (or use the guest account, which is disabled by default).

CISA mandated remediation

02CISA Required Action

Apply updates per vendor instructions.

Key dates

03Disclosure timeline

January 13, 2022 CVE published
October 21, 2025 Record updated