CVE-2026-23925 MEDIUM

CVE-2026-23925: Unauthorized host creation via configuration.import API by low-privilege user with write permissions

Vendor Zabbix
Product Zabbix
Weakness CWE-863 · Incorrect authorization
Published March 6, 2026
Last update March 9, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L

What the vulnerability does

01Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

Key dates

02Disclosure timeline

March 6, 2026 CVE published
March 9, 2026 Record updated