{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23921", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "state": "PUBLISHED", "assignerShortName": "Zabbix", "dateReserved": "2026-01-19T14:02:54.327Z", "datePublished": "2026-03-24T18:28:41.491Z", "dateUpdated": "2026-03-26T03:55:36.177Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:28:41.491Z"}, "title": "Blind, read-only SQL injection in Zabbix API via sortfield parameter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7: Blind SQL Injection"}]}], "affected": [{"vendor": "Zabbix", "product": "Zabbix", "repo": "https://git.zabbix.com/", "modules": ["API"], "versions": [{"status": "affected", "version": "7.0.0", "lessThanOrEqual": "7.0.21", "changes": [{"at": "7.0.22", "status": "unaffected"}], "versionType": "git"}, {"status": "affected", "version": "7.2.0", "lessThanOrEqual": "7.2.14", "changes": [{"at": "7.2.15", "status": "unaffected"}], "versionType": "git"}, {"status": "affected", "version": "7.4.0", "lessThanOrEqual": "7.4.5", "changes": [{"at": "7.4.6", "status": "unaffected"}], "versionType": "git"}], "defaultStatus": "unknown"}], "descriptions": [{"lang": "en", "value": "A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.</p>"}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27640"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "configurations": [{"lang": "en", "value": "To exploit this vulnerability an attacker needs access to a Zabbix account with API access.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>To exploit this vulnerability an attacker needs access to a Zabbix account with API access.</p>"}]}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Update the affected components to their respective fixed versions.</p>"}]}], "credits": [{"lang": "en", "value": "Zabbix wants to thank SeaWind for submitting this report on the HackerOne bug bounty platform.", "type": "reporter"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-23921"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T03:55:36.177Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23921", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:24:25.119854Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:24:29.258Z"}}], "cna": {"title": "Blind, read-only SQL injection in Zabbix API via sortfield parameter", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Zabbix wants to thank SeaWind for submitting this report on the HackerOne bug bounty platform."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "CAPEC-7: Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://git.zabbix.com/", "vendor": "Zabbix", "modules": ["API"], "product": "Zabbix", "versions": [{"status": "affected", "changes": [{"at": "7.0.22", "status": "unaffected"}], "version": "7.0.0", "versionType": "git", "lessThanOrEqual": "7.0.21"}, {"status": "affected", "changes": [{"at": "7.2.15", "status": "unaffected"}], "version": "7.2.0", "versionType": "git", "lessThanOrEqual": "7.2.14"}, {"status": "affected", "changes": [{"at": "7.4.6", "status": "unaffected"}], "version": "7.4.0", "versionType": "git", "lessThanOrEqual": "7.4.5"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Update the affected components to their respective fixed versions.", "supportingMedia": [{"type": "text/html", "value": "<p>Update the affected components to their respective fixed versions.</p>", "base64": false}]}], "references": [{"url": "https://support.zabbix.com/browse/ZBX-27640"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.", "supportingMedia": [{"type": "text/html", "value": "<p>A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "configurations": [{"lang": "en", "value": "To exploit this vulnerability an attacker needs access to a Zabbix account with API access.", "supportingMedia": [{"type": "text/html", "value": "<p>To exploit this vulnerability an attacker needs access to a Zabbix account with API access.</p>", "base64": false}]}], "providerMetadata": {"orgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "shortName": "Zabbix", "dateUpdated": "2026-03-24T18:28:41.491Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23921", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:24:33.370Z", "dateReserved": "2026-01-19T14:02:54.327Z", "assignerOrgId": "72de3e22-0555-4a0d-ae81-9249e0f0a1e8", "datePublished": "2026-03-24T18:28:41.491Z", "assignerShortName": "Zabbix"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise."}], "id": "CVE-2026-23921", "lastModified": "2026-03-25T15:41:58.280", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@zabbix.com", "type": "Secondary"}]}, "published": "2026-03-24T19:16:50.563", "references": [{"source": "security@zabbix.com", "url": "https://support.zabbix.com/browse/ZBX-27640"}], "sourceIdentifier": "security@zabbix.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@zabbix.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.0.21]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.2.14]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,7.4.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Zabbix", "source": "cna", "vendor": "Zabbix"}, "product": "zabbix", "vendor": "zabbix"}], "analysis": {"en": {"generated_at": "2026-03-24T20:26:00.763639+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch that updates Zabbix API components to the fixed version.", "Restrict API permissions so that only trusted users have access to the sortfield parameter.", "Monitor API logs for unusual timing patterns or repeated queries that may indicate exploitation."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in Zabbix\u2019s API component located in include/classes/api/CApiService.php. Versions affected are not explicitly enumerated in the advisory, so any deployment exposing the Zabbix API to users with API rights may be susceptible.", "description_and_impact": "A low\u2011privileged Zabbix user with API access can influence the sortfield parameter in the API to inject arbitrary, read\u2011only SQL statements. The injected SELECT commands do not return results directly, but an attacker can still extract database information by measuring timing responses or other side\u2011channels. This capability could lead to disclosure of session identifiers or even compromise of administrator accounts.", "risk_and_exploitability": "With a CVSS base score of 8.7, this issue is rated as high risk. The EPSS score is not available, and it is not listed in the CISA KEV catalog, though that is not a mitigation. An attacker only needs low\u2011privilege API access; the exploit requires normal network connectivity to the Zabbix server. Although direct data retrieval is not possible in the response, time\u2011based inference allows exfiltration, making the attack practical. The potential impact includes data confidentiality loss and possible administrative privilege escalation."}}}}, "created": "2026-03-25T11:46:37.179016+00:00", "updated": "2026-03-25T20:49:21.891469+00:00", "vendors": ["zabbix", "zabbix$PRODUCT$zabbix"]}