Skip to main content

Docker EUVDEUVD-2026-14958

| CVE-2026-23924 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-03-24 Zabbix GHSA-xfvx-fm25-g3v4
6.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 24, 2026 - 19:00 euvd
EUVD-2026-14958
Analysis Generated
Mar 24, 2026 - 19:00 vuln.today
CVE Published
Mar 24, 2026 - 18:30 nvd
MEDIUM 6.1

DescriptionCVE.org

Zabbix Agent 2 Docker plugin does not properly sanitize the 'docker.container_info' parameters when forwarding them to the Docker daemon. An attacker capable of invoking Agent 2 can read arbitrary files from running Docker containers by injecting them via the Docker archive API.

AnalysisAI

The Zabbix Agent 2 Docker plugin contains an argument injection vulnerability in the 'docker.container_info' parameter handler that fails to properly sanitize user-supplied input before forwarding requests to the Docker daemon. An authenticated attacker who can invoke Agent 2 can exploit this flaw to read arbitrary files from running Docker containers by injecting malicious parameters through the Docker archive API, potentially exposing sensitive application data, credentials, and configuration files. While no CVSS score or EPSS data is currently available, and no indication of active exploitation in the wild has been reported, this represents a direct path to container escape and lateral movement for attackers with agent-level access.

Technical ContextAI

Zabbix Agent 2 (cpe:2.3:a:zabbix:zabbix) includes a Docker monitoring plugin that communicates with the Docker daemon API to collect container metrics and metadata. The vulnerability stems from CWE-88 (Argument Injection) in the parameter handling logic for the 'docker.container_info' function. When this function constructs requests to the Docker API—specifically the archive endpoint used to retrieve files from containers—it does not properly escape or validate user-supplied parameters. This allows an attacker to inject additional Docker API parameters that modify the intended query, such as injecting path traversal sequences or alternative archive paths. The Docker daemon, receiving these malformed requests, executes them with the privileges of the Zabbix agent process, typically running with elevated rights for monitoring purposes.

RemediationAI

Immediately apply the security patch released by Zabbix for CVE-2026-23924, available through the Zabbix support portal at https://support.zabbix.com/browse/ZBX-27642. Upgrade to the patched version of Zabbix Agent 2 once available. As an interim mitigation, restrict network and local access to Agent 2 listening ports to only trusted Zabbix server instances and administrative users; disable or isolate the Docker plugin if it is not actively required for monitoring. Additionally, review and audit which containers and hosts have the Zabbix agent deployed with Docker plugin enabled, and restrict the agent's Docker API socket permissions to the minimum necessary user/group. Monitor Zabbix agent logs for suspicious docker.container_info invocations with unusual parameters.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-14958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy