2450874 – (CVE-2026-23919) CVE-2026-23919 Zabbix Server: Zabbix Proxy: Duktape: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts

Bug 2450874 (CVE-2026-23919) - CVE-2026-23919 Zabbix Server: Zabbix Proxy: Duktape: Zabbix Server and Proxy: Information disclosure via reused JavaScript contexts

Summary: CVE-2026-23919 Zabbix Server: Zabbix Proxy: Duktape: Zabbix Server and Proxy:...

Keywords:
Status:	NEW
Alias:	CVE-2026-23919
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2450932 2450934 2450937 2450941
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-24 19:03 UTC by OSIDB Bzimport
Modified:	2026-03-24 20:21 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-24 19:03:06 UTC

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.

Note You need to log in before you can comment on or make changes to this bug.