Vulnerability Database / CVE-2024-42327 CVE-2024-42327: Zabbix SQL Injection Vulnerability CVE-2024-42327 is a SQL injection vulnerability in Zabbix frontend affecting users with API access. Non-admin accounts can exploit the CUser class flaw. This article covers technical details, affected versions, and mitigations. Published : January 28, 2026 CVE-2024-42327 Overview CVE-2024-42327 is a critical SQL Injection vulnerability affecting the Zabbix monitoring platform. A non-admin user account on the Zabbix frontend with the default User role, or with any other role that provides API access, can exploit this vulnerability. The SQL injection exists in the CUser class within the addRelatedObjects function, which is called from the CUser.get function available to every user with API access. Critical Impact This vulnerability allows authenticated users with minimal privileges to execute arbitrary SQL queries against the Zabbix database, potentially leading to complete database compromise, data exfiltration, and unauthorized access to sensitive monitoring data across the entire infrastructure. Affected Products Zabbix Zabbix (multiple versions) Discovery Timeline 2024-11-27 - CVE-2024-42327 published to NVD 2025-10-08 - Last updated in NVD database Technical Details for CVE-2024-42327 Vulnerability Analysis This SQL Injection vulnerability (CWE-89) represents a significant security flaw in the Zabbix frontend's user management API. The vulnerability exists within the CUser class, specifically in the addRelatedObjects function. This function is invoked by CUser.get , a method that is accessible to any authenticated user with API access—including those with only the default User role. The critical nature of this vulnerability stems from the fact that it requires only low-privilege authentication to exploit, yet can impact resources beyond the vulnerable component's scope. An attacker can manipulate SQL queries through the API to extract sensitive data, modify database contents, or potentially escalate privileges within the Zabbix environment. Root Cause The root cause of this vulnerability is improper input validation and insufficient sanitization of user-supplied data within the addRelatedObjects function in the CUser class. When the CUser.get API method processes requests, it passes user-controlled parameters to addRelatedObjects without adequate escaping or parameterized query construction, allowing malicious SQL code to be injected and executed against the underlying database. Attack Vector The attack vector is network-based, requiring an authenticated user with API access to the Zabbix frontend. The attacker crafts malicious API requests to the CUser.get endpoint, embedding SQL injection payloads that are processed by the vulnerable addRelatedObjects function. Since the default User role includes API access, any authenticated user can potentially exploit this vulnerability without requiring administrative privileges. The exploitation path involves: Authenticating to the Zabbix frontend with a low-privilege account Crafting malicious API requests targeting the CUser.get method Injecting SQL payloads through parameters processed by addRelatedObjects Extracting data, modifying records, or escalating privileges through SQL manipulation Detection Methods for CVE-2024-42327 Indicators of Compromise Unusual or malformed API requests to the CUser.get endpoint containing SQL syntax characters (single quotes, UNION statements, comment sequences) Database query logs showing unexpected SQL patterns or syntax errors originating from the Zabbix application Anomalous database activity such as bulk data extraction or unauthorized table access from the Zabbix service account Failed or successful authentication attempts followed by immediate API calls to user-related endpoints Detection Strategies Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in API requests to the Zabbix frontend Enable detailed logging for all API calls to the CUser.get endpoint and monitor for suspicious parameter values Configure database audit logging to capture all queries executed by the Zabbix application user, with alerts for anomalous query patterns Deploy intrusion detection systems (IDS) with signatures targeting SQL injection attack patterns in HTTP POST data Monitoring Recommendations Monitor Zabbix application logs for API access patterns, particularly focusing on the user management endpoints Set up alerts for database query failures or syntax errors that may indicate attempted SQL injection Track API usage patterns per user account to identify anomalous behavior from low-privilege accounts Review database connection logs for unusual query volumes or data access patterns from the Zabbix application How to Mitigate CVE-2024-42327 Immediate Actions Required Review and restrict API access permissions, removing API access from user roles that do not require it Implement network-level access controls to limit