{"id":"CVE-2024-36467","details":"An authenticated user with API access (e.g.: user with default User role), more specifically a user with access to the user.update API endpoint is enough to be able to add themselves to any group (e.g.: Zabbix Administrators), except to groups that are disabled or having restricted GUI access.","modified":"2026-04-12T07:38:39.049863Z","published":"2024-11-27T07:15:09.080Z","references":[{"type":"ADVISORY","url":"https://support.zabbix.com/browse/ZBX-25614"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zabbix/zabbix","events":[{"introduced":"5203d2ea7d901cd33d148f20586e2155901a7faa"},{"fixed":"e05e6ba9dca6bac63179965db2d95b9e32a11b1b"},{"introduced":"49955f1fb5c9168a8a24b053f7ade6b3d903143c"},{"fixed":"d1b0c3308ce91271f6a8a28a3ad78df4295807f5"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"6.0.33"},{"introduced":"7.0.0"},{"fixed":"7.0.2"}]}}],"versions":["6.0.0","6.0.1","6.0.10","6.0.10rc1","6.0.10rc2","6.0.11","6.0.11rc1","6.0.11rc2","6.0.12","6.0.12rc1","6.0.12rc2","6.0.13","6.0.13rc1","6.0.14","6.0.14rc1","6.0.14rc2","6.0.15","6.0.15rc1","6.0.15rc2","6.0.16","6.0.16rc1","6.0.17","6.0.17rc1","6.0.17rc2","6.0.18","6.0.18rc1","6.0.19","6.0.19rc1","6.0.1rc1","6.0.1rc2","6.0.1rc3","6.0.1rc4","6.0.2","6.0.20","6.0.20rc1","6.0.21","6.0.21rc1","6.0.22","6.0.22rc1","6.0.23","6.0.23rc1","6.0.25","6.0.25rc1","6.0.26","6.0.26rc1","6.0.27","6.0.27rc1","6.0.28","6.0.28rc1","6.0.29","6.0.29rc1","6.0.2rc1","6.0.3","6.0.30","6.0.30rc1","6.0.31","6.0.31rc1","6.0.32","6.0.32rc1","6.0.33rc1","6.0.3rc1","6.0.4","6.0.4rc1","6.0.5","6.0.5rc1","6.0.6","6.0.6rc1","6.0.7","6.0.7rc1","6.0.8","6.0.8rc1","6.0.8rc2","6.0.9","6.0.9rc1","6.0.9rc2","7.0.0","7.0.1","7.0.1rc1","7.0.1rc2","7.0.2rc1","7.0.2rc2"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/zabbix/zabbix/commit/e05e6ba9dca6bac63179965db2d95b9e32a11b1b","signature_type":"Line","target":{"file":"src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"},"signature_version":"v1","id":"CVE-2024-36467-42185414","digest":{"line_hashes":["42377719247154798294649350857211914722","277301446743689282564066719793421861949","84053493762398819857165875037492472417","134573353912766890848741256532153642229","177130751556011487463321449951885775840","255221815652418511241443785427600625788"],"threshold":0.9},"deprecated":false},{"source":"https://github.com/zabbix/zabbix/commit/d1b0c3308ce91271f6a8a28a3ad78df4295807f5","signature_type":"Line","target":{"file":"src/zabbix_java/src/com/zabbix/gateway/GeneralInformation.java"},"signature_version":"v1","id":"CVE-2024-36467-ac10784f","digest":{"line_hashes":["34908699306599158635795536573952383699","167817887453521444665906004018254238130","62890894479301481442114582393126689040","42148122484818738970023406310845772326","32761922953330182587138576375100391282","48732569782269390333384377044185269327"],"threshold":0.9},"deprecated":false}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-36467.json","unresolved_ranges":[{"events":[{"introduced":"5.0.0"},{"fixed":"5.0.43"}]},{"events":[{"introduced":"6.4.0"},{"fixed":"6.4.18"}]}],"vanir_signatures_modified":"2026-04-12T07:38:39Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}