CVE-2026-23927 PUBLISHED

Agent 2 Oracle plugin TNS connection string injection via the 'service' parameter

Assigner: Zabbix
Reserved: 19.01.2026 Published: 06.05.2026 Updated: 06.05.2026

A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	High
Attack Complexity	Low	Integrity	Low	Integrity	High
Attack Requirements	Present	Availability	None	Availability	None
Privileges Required	High
User Interaction	None

CVSS 4.0

Product Status

Vendor	Zabbix
Product	Zabbix
Versions	Default: unknown affected from 6.0.0 to 6.0.44 (incl.) affected from 7.0.0 to 7.0.23 (incl.) affected from 7.4.0 to 7.4.7 (incl.)

Affected Configurations

An attacker sending malicious requests to Agent 2 monitoring an Oracle database.

Workarounds

Don't use named sessions for Oracle database monitoring.

Solutions

Update the affected components to their respective fixed versions.

Credits

Zabbix wants to thank kelsier from clocktwice.com for submitting this report on the HackerOne bug bounty platform. reporter

References

https://support.zabbix.com/browse/ZBX-27759

Problem Types

CWE-522: Insufficiently Protected Credentials CWE

Impacts

CAPEC-194: Fake the Source of Data