Zabbix API hostprototype.get Host Proto Leak to Unprivileged Users
CVE-2025-27238 Published on September 12, 2025
API hostprototype.get lists data to users with insufficient authorization.
Due to a bug in Zabbix API, the hostprototype.get method lists all host prototypes to users that do not have any user groups assigned to them.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-27238 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-27238
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 7.0.0, <= 7.0.13 is affected.
- Version 7.2.0, <= 7.2.7 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.