Skip to main content

Suse CVE-2026-23919

| EUVDEUVD-2026-14950 HIGH
Exposure of Data Element to Wrong Session (CWE-488)
2026-03-24 Zabbix GHSA-h55g-ww3m-9hq9
High
Disputed · 7.1 NVD
Share

Severity by source

Sources disagree (Low–High)
NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
3.1 LOW
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 18:31 euvd
EUVD-2026-14950
Analysis Generated
Mar 24, 2026 - 18:31 vuln.today
CVE Published
Mar 24, 2026 - 18:26 nvd
HIGH 7.1

DescriptionCVE.org

For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.

AnalysisAI

Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.

Technical ContextAI

The vulnerability exists in Zabbix Server and Proxy components (CPE: cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:*) which utilize the Duktape JavaScript engine for executing script items, JavaScript preprocessing rules, and webhook scripts. To optimize performance, these components reuse Duktape contexts rather than creating isolated environments for each script execution. This design choice allows variables and state from previous script executions to persist in shared contexts, creating a cross-execution data leakage vector. The root cause is classified under CWE-488 (Exposure of Sensitive Data Through Shared Resources), where insufficient isolation mechanisms permit information disclosure through shared computational resources. Non-super administrators with limited host access can craft JavaScript preprocessing rules or script items that read from previously-executed contexts belonging to other administrators' restricted hosts.

RemediationAI

Upgrade Zabbix Server and Proxy to the patched version that implements read-only built-in JavaScript objects as soon as possible, following Zabbix's official release notes and patch availability from https://support.zabbix.com/browse/ZBX-27638. As a workaround prior to patching, administrators should avoid using global JavaScript variables in preprocessing rules and script items, as these remain unsafe even after applying the read-only object fix. Additionally, enforce strict role-based access controls (RBAC) to limit which administrators can create or modify JavaScript preprocessing rules and script items, and audit existing JavaScript code to identify and remediate any use of global state variables that could leak sensitive information across execution contexts.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP3-BCL Fixed

Share

CVE-2026-23919 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy