Zabbix: Unauthorized Host Creation via API with User Role Permissions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

Zabbix: Unauthorized Host Creation via API with User Role Permissions

CVE-2026-23925

Summary

An authenticated Zabbix user with limited permissions can create new hosts, potentially compromising sensitive information. Affected users with template/host write permissions should review their access controls and consider restricting API access. Patching the Zabbix software is recommended to prevent unauthorized host creation.

Original title

Original description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

nvd CVSS4.0 5.1

Vulnerability type

CWE-863 Incorrect Authorization

https://support.zabbix.com/browse/ZBX-27567

Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026