CVE-2024-36467: 
Zabbix Server vulnerability analysis and mitigation

An authenticated user with API access vulnerability in Zabbix, identified as CVE-2024-36467, allows users with default User role and access to the user.update API endpoint to add themselves to any group, including Zabbix Administrators. This privilege escalation vulnerability affects multiple versions of Zabbix, including versions 5.0.8, 6.0.14, and earlier releases (Debian Tracker).

The vulnerability stems from missing authorization checks in the user.update API endpoint. Users with basic API access can exploit this weakness to elevate their privileges by adding themselves to any group, except those that are disabled or have restricted GUI access. The issue has been addressed in versions 5.0.43rc1, 6.0.33rc1, 6.4.18rc1, and 7.0.2rc1 (Zabbix Support).

The vulnerability allows unauthorized privilege escalation within Zabbix systems. Authenticated users can potentially gain administrative access by adding themselves to privileged groups, effectively bypassing intended access control mechanisms (Debian Tracker).

Fixed versions have been released across multiple Zabbix branches. Organizations should upgrade to versions 5.0.43rc1, 6.0.33rc1, 6.4.18rc1, or 7.0.2rc1 or later, depending on their current version. For Debian systems, fixed packages are available in various distributions including bullseye (1:5.0.45+dfsg-1+deb11u1), trixie (1:7.0.9+dfsg-1), and sid (1:7.0.10+dfsg-1) (Debian Tracker).