CVE-2026-23921

Name of the Vulnerable Software and Affected Versions Zabbix versions prior to 7.4.6

Description A Zabbix user with API access can exploit a blind SQL injection in the CApiService.php file. The issue resides in the sortfield parameter, allowing an attacker to execute arbitrary SQL selects. While query results are not directly returned, data can be exfiltrated using time-based techniques. This could lead to the disclosure of session identifiers and compromise of administrator accounts. The vulnerable component is located at the API endpoint include/classes/api/CApiService.php. The vulnerable parameter is sortfield.

Recommendations Update to Zabbix version 7.4.6 or later.