CVE-2026-23919: Zabbix Information Disclosure Vulnerability

CVE-2026-23919 Overview

A high-severity information disclosure vulnerability exists in Zabbix Server and Proxy components due to the reuse of JavaScript (Duktape) contexts for performance optimization. This context reuse occurs in script items, JavaScript reprocessing, and Webhooks functionality. The vulnerability allows a regular (non-super) Zabbix administrator to leak sensitive data from hosts they do not have access to, resulting in confidentiality loss.

Critical Impact

Non-privileged Zabbix administrators can access confidential host data beyond their authorization scope through JavaScript context leakage.

Affected Products

• Zabbix Server (versions utilizing JavaScript context reuse)
• Zabbix Proxy (versions utilizing JavaScript context reuse)
• Components using Duktape JavaScript engine (script items, JavaScript reprocessing, Webhooks)

Discovery Timeline

• 2026-03-24 - CVE-2026-23919 published to NVD
• 2026-03-25 - Last updated in NVD database

Technical Details for CVE-2026-23919

Vulnerability Analysis

This vulnerability is classified under CWE-488 (Exposure of Data Element to Wrong Session), which occurs when data elements are incorrectly exposed to sessions that should not have access to them. In Zabbix's implementation, the Duktape JavaScript engine contexts are reused across different operations for performance optimization. This design decision inadvertently creates a data leakage channel where JavaScript variables and objects from one session can persist and become accessible to subsequent sessions operating under different authorization contexts.

The attack requires adjacent network access and high privileges (administrator-level access to Zabbix), though the attacker does not need to be a super administrator. Once exploited, the vulnerability can result in high confidentiality impact with additional low-level impacts to both integrity and availability. The scope extends beyond the vulnerable component, potentially affecting other hosts in the monitored infrastructure.

Root Cause

The root cause lies in Zabbix's performance optimization strategy that reuses JavaScript (Duktape) execution contexts across multiple operations. When JavaScript contexts are shared between different administrator sessions or host monitoring operations, global variables and object states can persist beyond their intended scope. This creates a condition where data intended for one administrator's view can leak to another administrator who should not have access to that host's information.

Attack Vector

The attack vector requires adjacent network access, meaning the attacker must have network proximity to the Zabbix infrastructure. The attacker needs elevated privileges as a Zabbix administrator (though not super administrator level) to execute the attack. The exploitation involves leveraging the shared JavaScript context to read global variables or object properties that contain data from hosts outside the attacker's authorized scope.

The vulnerability manifests when multiple Zabbix administrators with different host access permissions use features that invoke the Duktape JavaScript engine. Due to context reuse, JavaScript global variables from one administrator's session may persist and become readable by another administrator in a subsequent operation. For detailed technical information, refer to the Zabbix Support Issue ZBX-27638.

Detection Methods for CVE-2026-23919

Indicators of Compromise

• Unusual JavaScript execution patterns in Zabbix Server/Proxy logs
• Administrator accounts accessing host data outside their normal scope
• Unexpected global variable references in script items or Webhooks
• Anomalous data retrieval patterns from non-assigned hosts

Detection Strategies

• Monitor Zabbix audit logs for administrators accessing hosts outside their assigned groups
• Implement logging for JavaScript context usage in script items and Webhooks
• Review Zabbix Server/Proxy logs for unusual preprocessing or script execution sequences
• Deploy network monitoring to detect adjacent network reconnaissance activities

Monitoring Recommendations

• Enable verbose logging for JavaScript-related operations in Zabbix configuration
• Implement alerting on cross-host data access patterns that deviate from normal baselines
• Regularly audit administrator permissions and host group assignments
• Monitor for attempts to define or access global JavaScript variables in custom scripts

How to Mitigate CVE-2026-23919

Immediate Actions Required

• Apply the latest Zabbix security patches that make built-in JavaScript objects read-only
• Audit existing script items, JavaScript reprocessing rules, and Webhooks for global variable usage
• Remove or refactor any scripts that rely on global JavaScript variables
• Review administrator access controls and restrict host visibility to minimum required scope

Patch Information

Zabbix has released a fix that makes the built-in Zabbix JavaScript objects read-only, preventing unauthorized data access through context reuse. Organizations should update to the patched versions as soon as possible. For additional guidance on known issues related to preprocessing and global variables, refer to the Zabbix documentation on known issues.

Workarounds

• Avoid using global JavaScript variables in script items, preprocessing, and Webhooks
• Implement strict variable scoping using local variables within functions
• Segment Zabbix infrastructure to limit the blast radius of potential exploitation
• Restrict network access to Zabbix Server/Proxy to trusted administrator networks only
• Consider implementing additional authentication layers for sensitive monitoring operations

# Configuration example
# Review and audit Zabbix JavaScript usage
# Check for global variable usage in preprocessing scripts
zabbix_server -R log_level_increase="preprocessing"

# Verify Zabbix version includes the security fix
zabbix_server --version

# Review active script items for global variable usage
# Ensure all scripts use local variable scoping