CVE-2026-23927 Overview
CVE-2026-23927 is a credential exposure vulnerability affecting Zabbix Agent 2. An authenticated user able to connect to Agent 2 can inject an Oracle Transparent Network Substrate (TNS) connection string through the service parameter. The injection causes Agent 2 to connect to an attacker-controlled server. If Oracle database credentials are stored in a named session, the agent leaks them to the malicious endpoint. The flaw maps to CWE-522: Insufficiently Protected Credentials.
Critical Impact
Attackers with privileged access to Agent 2 can exfiltrate stored Oracle database credentials by redirecting connection attempts to attacker-controlled servers.
Affected Products
- Zabbix Agent 2 (Oracle monitoring plugin)
- Deployments using named sessions with stored Oracle credentials
- Environments where the service parameter is reachable by authenticated users
Discovery Timeline
- 2026-05-06 - CVE-2026-23927 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-23927
Vulnerability Analysis
The vulnerability resides in how Zabbix Agent 2 processes the service parameter when establishing Oracle database connections. Agent 2 supports named sessions that allow operators to pre-configure database credentials. When a monitoring item is invoked, Agent 2 builds a TNS connection string using user-supplied input without sufficient validation. An attacker who can reach the agent can substitute a TNS descriptor that points to an arbitrary host and port. The Oracle client library then attempts authentication against the attacker-controlled listener and transmits the cached credentials. The result is server-side credential exfiltration triggered by an authenticated request to the agent.
Root Cause
The root cause is improper neutralization of input used to construct an Oracle TNS connection descriptor. The service parameter is concatenated into connection logic without enforcing an allow-list of pre-defined endpoints. This pattern aligns with [CWE-522], where stored credentials are released to an untrusted destination because the destination itself is not authenticated or validated.
Attack Vector
Exploitation requires network access to Agent 2 and the privileges needed to invoke Oracle monitoring keys. The attacker stands up a rogue TNS listener and supplies a crafted service value referencing that listener. Agent 2 retrieves the named session credentials, opens a connection to the attacker host, and submits the username and password during the Oracle authentication handshake. The attacker captures the credentials at the listener for later reuse against the legitimate Oracle database.
No verified public exploit code is available. Refer to the Zabbix Support Ticket ZBX-27759 for vendor-supplied technical details.
Detection Methods for CVE-2026-23927
Indicators of Compromise
- Outbound TCP connections from Zabbix Agent 2 hosts to Oracle listener ports (default 1521) on unexpected destinations.
- Agent 2 log entries showing Oracle plugin invocations with unusual or externally-resolvable hostnames in the service parameter.
- DNS queries from Agent 2 hosts resolving domains not associated with internal database infrastructure.
Detection Strategies
- Inspect Agent 2 request logs for service parameter values containing full TNS descriptors such as (DESCRIPTION=(ADDRESS=(HOST=...)).
- Correlate monitoring item executions with subsequent egress connections from the agent host to identify redirected sessions.
- Alert on Oracle authentication failures originating from Agent 2 hosts directed at non-inventoried database servers.
Monitoring Recommendations
- Restrict and log every authenticated session permitted to issue Oracle plugin keys against Agent 2.
- Baseline expected Oracle listener destinations for each Agent 2 host and alert on deviations.
- Forward Agent 2 logs and host network telemetry to a centralized analytics platform for cross-source correlation.
How to Mitigate CVE-2026-23927
Immediate Actions Required
- Review the Zabbix Support Ticket ZBX-27759 and apply the vendor-supplied fix once available.
- Rotate any Oracle credentials stored in Agent 2 named sessions, especially where Agent 2 was reachable by lower-trust users.
- Audit which accounts can issue Oracle monitoring keys against Agent 2 and remove unnecessary privileges.
Patch Information
Track the vendor advisory at Zabbix Support Ticket ZBX-27759 for fixed version availability. Upgrade Zabbix Agent 2 to the patched release as soon as it is published and re-deploy named session configurations afterward.
Workarounds
- Avoid storing Oracle credentials in Agent 2 named sessions until the patch is applied; pass connection details only at invocation time from a trusted controller.
- Apply network egress controls on Agent 2 hosts so only sanctioned Oracle listener IPs and ports are reachable.
- Restrict inbound access to Agent 2 to the Zabbix server address and authenticated operators using TLS PSK or certificate authentication.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
