Zabbix API Vulnerability: High-Severity SQL Injection Threatens Network Monitoring Security
Ddos 
A high-severity security vulnerability has been identified in the Zabbix API, a popular open-source monitoring solution used by enterprises worldwide to track the status of network services, servers, and hardware. The flaw, tracked as CVE-2026-23921, carries a CVSS score of 8.7, signaling a significant risk to the integrity of database environments managed by the platform.
The vulnerability allows for a blind, read-only SQL injection, providing a pathway for attackers to exfiltrate sensitive data through specialized, time-based techniques.
The vulnerability resides in the include/classes/api/CApiService.php component of the Zabbix API. It centers on the improper handling of the sortfield parameter, which is typically used to organize data returned by API queries.
According to the security advisory:
“A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability… to execute arbitrary SQL selects via the sortfield parameter”.
While the results of these unauthorized queries are not returned to the attacker directly, the “blind” nature of the flaw means an attacker can still deduce information by measuring the time the server takes to respond to specifically crafted requests.
The ability to execute arbitrary SQL selects is a powerful tool for a malicious actor. Researchers warn that this flaw can be used to harvest sensitive information from the underlying Zabbix database.
Potential consequences include:
- Session Identifier Disclosure: Attackers can exfiltrate active session IDs, allowing them to hijack existing user connections.
- Administrator Compromise: By targeting administrative account data, a low-privileged user could escalate their access to gain full control over the Zabbix monitoring environment.
- Network Reconnaissance: Since Zabbix stores detailed information about an organization’s infrastructure, an attacker could use this access to map out targets for subsequent lateral movement.
The vulnerability affects multiple versions of the Zabbix platform. Administrators should immediately check their current deployment against the following list of affected versions:
- Zabbix 7.0: Versions 7.0.0 through 7.0.21.
- Zabbix 7.2: Versions 7.2.0 through 7.2.14.
- Zabbix 7.4: Versions 7.4.0 through 7.4.5.
To exploit this vulnerability, an attacker must already have access to a Zabbix account that has API permissions enabled.
The primary defense against this threat is to update the affected components to their respective fixed versions. Zabbix has released the following patches to resolve the issue:
- Update to 7.0.22.
- Update to 7.2.15.
- Update to 7.4.6.
In addition to patching, organizations should follow the principle of least privilege by regularly auditing which users have API access and disabling it for accounts that do not strictly require it for their roles.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
