Bug 2445155 (CVE-2026-23925)

Summary: CVE-2026-23925 zabbix: Zabbix: Confidentiality loss via improper access control in configuration.import API
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Zabbix. An authenticated user with the 'User' role, who also possesses write permissions for templates or hosts, can exploit the `configuration.import` API. This allows them to create unauthorized objects, such as hosts, which can lead to a loss of confidentiality within the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2445156, 2445157, 2445159, 2445158    
Bug Blocks:    

Description OSIDB Bzimport 2026-03-06 09:03:04 UTC 
An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.