CVE-2026-23926 Overview
CVE-2026-23926 is a stored cross-site scripting (XSS) vulnerability in Zabbix [CWE-79]. An authenticated administrator without super-admin privileges can create a maintenance period containing a JavaScript payload. The payload executes in the browser of any user who opens the tooltip for that maintenance period in the Host navigator widget. The attacker can then perform unauthorized actions in the context of the victim user, including a super-admin who views the affected widget.
Critical Impact
A lower-privileged administrator can execute arbitrary JavaScript in a super-admin's browser session, enabling privilege escalation and unauthorized actions across the Zabbix frontend.
Affected Products
- Zabbix frontend (Host navigator widget)
- Zabbix maintenance period configuration
- Refer to Zabbix Support Issue ZBX-27758 for affected version details
Discovery Timeline
- 2026-05-06 - CVE-2026-23926 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-23926
Vulnerability Analysis
The flaw is a stored XSS in the Zabbix Host navigator widget. Maintenance period names or descriptions accept user-supplied input without proper output encoding when rendered inside the widget's tooltip. When a user hovers over a host that has an associated maintenance period, the frontend constructs a tooltip using attacker-controlled data. The browser interprets injected <script> tags or HTML event handlers as executable code rather than literal text.
Because maintenance periods can be created by any user holding the (non-super) administrator role, the bar for authoring the payload is low. The exploitation surface is broad because operators and super-admins routinely consult host status widgets during incident triage.
Root Cause
The root cause is missing or insufficient HTML output encoding when the Host navigator widget renders maintenance period metadata into a tooltip DOM node. Input that should be treated as text content is instead inserted in a context that allows HTML or JavaScript execution. This is a classic [CWE-79] failure to neutralize input during web page generation.
Attack Vector
Exploitation requires an authenticated session with the administrator role and user interaction from the victim. The attacker creates a maintenance period whose name or related field contains a JavaScript payload. The attacker assigns the maintenance period to one or more hosts that appear in a Host navigator widget. When any user, including a super-admin, opens the tooltip for that maintenance period, the payload runs with the victim's session privileges. The attacker can then call Zabbix API endpoints, modify configuration, create new users, or exfiltrate data.
No proof-of-concept exploit is publicly available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to Zabbix Support Issue ZBX-27758 for technical details.
Detection Methods for CVE-2026-23926
Indicators of Compromise
- Maintenance period names containing HTML tags, <script> elements, javascript: URIs, or event handler attributes such as onerror= and onmouseover=.
- Audit log entries showing maintenance period creation or modification by non-super-admin accounts followed by privileged actions from a different user session.
- Unexpected user account creation, role changes, or API token generation shortly after a super-admin viewed a Host navigator widget.
Detection Strategies
- Query the Zabbix database for maintenance period names and descriptions matching regex patterns for HTML or JavaScript syntax.
- Review Zabbix audit logs for maintenance.create and maintenance.update API calls correlated with subsequent administrative changes.
- Inspect frontend access logs for anomalous XHR or fetch requests originating from Host navigator widget pages.
Monitoring Recommendations
- Forward Zabbix audit logs and web server access logs to a centralized log platform for retention and correlation.
- Alert on configuration changes performed within seconds of dashboard or widget page loads, which can indicate XSS-driven actions.
- Track creation of new admin-level users or API tokens and require out-of-band verification.
How to Mitigate CVE-2026-23926
Immediate Actions Required
- Apply the Zabbix security update referenced in Zabbix Support Issue ZBX-27758 as soon as it is available for your version.
- Audit all existing maintenance periods and remove any whose names or descriptions contain HTML or script syntax.
- Review which accounts hold the administrator role and revoke the role from users who do not require it.
Patch Information
Monitor Zabbix Support Issue ZBX-27758 for the patched build numbers and upgrade instructions. The vendor advisory is the authoritative source for fixed versions. Apply the patch in a staging environment first, then promote to production.
Workarounds
- Restrict the administrator role so that only trusted personnel can create maintenance periods until the patch is applied.
- Remove the Host navigator widget from shared dashboards viewed by super-admins until the frontend is updated.
- Deploy a Content Security Policy (CSP) at the reverse proxy that disallows inline script execution on the Zabbix frontend.
# Example nginx CSP header for the Zabbix frontend
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
