Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A user able to connect to Agent 2 can inject an Oracle TNS connection string via the 'service' parameter. This can lead to Agent 2 connecting to an attacker-controlled server and leaking Oracle database credentials if they are saved in a named session.
AnalysisAI
Zabbix Agent 2 allows remote attackers with high privileges to inject malicious Oracle TNS connection strings via the 'service' parameter, enabling credential theft from saved database sessions. The vulnerability requires network access and high-level privileges but can lead to disclosure of Oracle database credentials if they are stored in named sessions. CVSS 5.1 reflects the requirement for authenticated attacker access (PR:H), though the impact to stored credentials is significant.
Technical ContextAI
Zabbix Agent 2 implements Oracle database monitoring capabilities that accept TNS connection parameters. The 'service' parameter in connection requests fails to properly validate or sanitize user input before constructing TNS connection strings, violating CWE-522 (Insufficiently Protected Credentials). This allows an attacker to redirect database connections to attacker-controlled servers, intercepting authentication attempts and harvesting credentials. The vulnerability affects CPE cpe:2.3:a:zabbix:zabbix:*:*:*:*:*:*:*:* across multiple major versions.
RemediationAI
Apply vendor patches immediately: upgrade to Zabbix 6.0.45 or later for 6.x branch, Zabbix 7.0.24 or later for 7.0.x branch, or Zabbix 7.4.8 or later for 7.4.x branch (exact patch versions to be confirmed via https://support.zabbix.com/browse/ZBX-27759). As a compensating control pending patching, remove or disable Oracle database credentials from Zabbix named sessions and instead configure Oracle monitoring with separate, time-limited service accounts that do not store plaintext credentials. Additionally, restrict network access to Agent 2 interfaces using firewall rules to limit which internal systems can submit connection parameters, reducing the attack surface for high-privilege attackers. Monitor Agent 2 logs for unusual TNS connection attempts or redirects to unexpected servers.
Same weakness CWE-522 – Insufficiently Protected Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27528
GHSA-r8x9-p5v6-vx46