Main Vulnerability Database SB2026032515

SB2026032515 - Security restrictions bypass in Zabbix

Published: March 25, 2026

Security Bulletin ID SB2026032515

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-23919)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to insufficient isolation of JavaScript (Duktape) execution context in Zabbix Server/Proxy when reusing JavaScript contexts for script items, JavaScript reprocessing, and Webhooks. A remote privileged user can overwrite built-in JavaScript functions or read global JavaScript variables to disclose sensitive information.

Exploitation requires a regular (non-super) Zabbix administrator account. The impact includes confidentiality loss where data from hosts the user does not have access to may be leaked.

Remediation

Install update from vendor's website.

References

https://support.zabbix.com/browse/ZBX-27638