CVE-2026-23919

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.

CVSS

No CVSS.

References

Link	Resource
https://support.zabbix.com/browse/ZBX-27638

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-24 19:16

Updated : 2026-03-25 15:41

NVD link : CVE-2026-23919

Mitre link : CVE-2026-23919

CVE.ORG link : CVE-2026-23919

JSON object : View

Products Affected

No product.

CWE

CWE-488

Exposure of Data Element to Wrong Session

{"id": "CVE-2026-23919", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@zabbix.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-24T19:16:49.290", "references": [{"url": "https://support.zabbix.com/browse/ZBX-27638", "source": "security@zabbix.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@zabbix.com", "description": [{"lang": "en", "value": "CWE-488"}]}], "descriptions": [{"lang": "en", "value": "For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>."}, {"lang": "es", "value": "Por razones de rendimiento, Zabbix Server/Proxy reutiliza contextos de JavaScript (Duktape) (utilizados en elementos de script, reprocesamiento de JavaScript, Webhooks). Esto puede llevar a una p\u00e9rdida de confidencialidad donde un administrador de Zabbix regular (no-super) filtra datos de hosts a los que no tiene acceso. Se ha lanzado una correcci\u00f3n que hace que los objetos JavaScript integrados de Zabbix sean de solo lectura, pero tenga en cuenta que el uso de variables globales de JavaScript no est\u00e1 recomendado porque su contenido podr\u00eda ser filtrado. M\u00e1s informaci\u00f3n <a href=\"https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe\" rel=\"nofollow\">en la documentaci\u00f3n de Zabbix</a>."}], "lastModified": "2026-03-25T15:41:58.280", "sourceIdentifier": "security@zabbix.com"}