CVE-2025-27236: 
Zabbix Server vulnerability analysis and mitigation

CVE-2025-27236 is a security vulnerability discovered in Zabbix that affects multiple versions of the software. The vulnerability was discovered and disclosed on October 3, 2025, affecting Zabbix versions 6.0.38-6.0.40, 7.0.9-7.0.16, 7.2.3-7.2.10, and 7.4.0. The issue allows regular Zabbix users to access unauthorized user information through the Zabbix API (Zabbix Support).

The vulnerability exists in the Zabbix API's user.get method with param search functionality. It allows authenticated users to search and view field values of other users within their user group, even for fields they don't have permission to access. The vulnerability has been assigned a CVSS v4.0 score of 2.1 (Low) with the vector string CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. The issue has been classified under CWE-863 (Incorrect Authorization) (Zabbix Support).

The vulnerability enables data-mining of unauthorized field values, potentially exposing sensitive user information within the same user group. While the impact is limited to users within the same group, it represents a breach of the principle of least privilege and could lead to unauthorized access to user data (Zabbix Support).

Zabbix has released fixed versions to address this vulnerability: version 6.0.41 for the 6.0.x branch, 7.0.17 for the 7.0.x branch, 7.2.11 for the 7.2.x branch, and 7.4.1 for the 7.4.x branch. Users are strongly recommended to upgrade to these patched versions (Zabbix Support, CERT-FR).

The vulnerability was initially reported through the HackerOne bug bounty platform by security researchers yannapostrophe and exod. Zabbix has acknowledged their contribution in identifying and reporting this security issue (Zabbix Support).