Unrated severityNVD Advisory· Published Mar 6, 2026· Updated Mar 9, 2026

Unauthorized host creation via configuration.import API by low-privilege user with write permissions

CVE-2026-23925

Description

An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions.

Affected products

Zabbix/Zabbixllm-fuzzy2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: 6.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

support.zabbix.com/browse/ZBX-27567mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000