Vulnerability Description
A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Although query results are not returned directly, an attacker can exfiltrate arbitrary database data through time-based techniques, potentially leading to session identifier disclosure and administrator account compromise.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-23921?
CVE-2026-23921 is a documented vulnerability. A low privilege Zabbix user with API access can exploit a blind SQL injection vulnerability in include/classes/api/CApiService.php to execute arbitrary SQL selects via the sortfield parameter. Althoug...
How severe is CVE-2026-23921?
CVSS scoring is not yet available for CVE-2026-23921. Check NVD for updates.
Is there a patch for CVE-2026-23921?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.