CVE-2025-27236 PUBLISHED

User information disclosure via api_jsonrpc.php on method user.get with param search

Assigner: Zabbix
Reserved: 20.02.2025 Published: 03.10.2025 Updated: 03.10.2025

A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 2.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Adjacent	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	Zabbix
Product	Zabbix
Versions	Default: unknown affected from 6.0.38 to 6.0.40 (incl.) affected from 7.0.9 to 7.0.16 (incl.) affected from 7.2.3 to 7.2.10 (incl.) affected from 7.4.0 to 7.4.1 (excl.)

Affected Configurations

An authenticated, regular Zabbix user could data-mine some field values on other users in their group.

Solutions

Update the affected components to their respective fixed versions.

Credits

Zabbix wants to thank yannapostrophe and exod for submitting this report on the HackerOne bug bounty platform. reporter

References

https://support.zabbix.com/browse/ZBX-27060

Problem Types

CWE-863: Incorrect Authorization CWE

Impacts

CAPEC-116: Excavation