Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN267 _____________________________________________________________________ DATE : 06/03/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zabbix versions prior to 6.0.41, 7.0.18, 7.4.2. ===================================================================== https://support.zabbix.com/browse/ZBX-27567 _____________________________________________________________________ Unauthorized host creation via configuration.import API by low-privilege user with write permissions (CVE-2026-23925) CVE ID CVE-2026-23925 CVSS score 5.1 (Medium) CVSS vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:L/SC:H/SI:N/SA:L Affected components API Summary Unauthorized host creation via configuration.import API by low-privilege user with write permissions Description An authenticated Zabbix user (User role) with template/host write permissions is able to create objects via the configuration.import API. This can lead to confidentiality loss by creating unauthorized hosts. Note that the User role is normally not sufficient to create and edit templates/hosts even with write permissions. Known attack vectors Low-privilege user invoking configuration.import to perform unauthorized object creation. Affected and fix version/s Affected: 6.0.0 - 6.0.40 → Fixed: 6.0.41 Affected: 7.0.0 - 7.0.17 → Fixed: 7.0.18 Affected: 7.4.0 - 7.4.1 → Fixed: 7.4.2 Mitigation Update the affected components to their respective fixed versions. Workarounds Remove template and host write permissions for non-admin users. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================