Zabbix 7.4 Duktape Context Reuse Exposes Data
CVE-2026-23919 Published on March 24, 2026
Insufficient isolation of JavaScript (Duktape) execution context on Zabbix Server
For performance reasons Zabbix Server/Proxy reuses JavaScript (Duktape) contexts (used in script items, JavaScript reprocessing, Webhooks). This can lead to confidentiality loss where a regular (non-super) Zabbix administrator leaks data for hosts they do not have access to. A fix has been released that makes the built in Zabbix JavaScript objects read-only, but please be advised that usage of global JavaScript variables is not recommended because their content could be leaked. More information <a href='https://www.zabbix.com/documentation/7.4/en/manual/installation/known_issues#preprocessing-global-variables-are-unsafe'>in Zabbix documentation</a>.
Weakness Type
Exposure of Data Element to Wrong Session
The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session.
Products Associated with CVE-2026-23919
Want to know whenever a new CVE is published for Zabbix? stack.watch will email you.
Affected Versions
Zabbix:- Version 6.0.0, <= 6.0.40 is affected.
- Version 7.0.0, <= 7.0.18 is affected.
- Version 7.2.0, <= 7.2.12 is affected.
- Version 7.4.0, <= 7.4.2 is affected.