Argus Bloghttps://blog.argus-systems.ai/2026-06-08T11:00:00-07:00Security and engineeringTrusted Until It Isn't: The Zabbix SQL Injection That "Needs an Admin"2026-06-08T11:00:00-07:002026-06-08T11:00:00-07:00Argustag:blog.argus-systems.ai,2026-06-08:/blog/zabbix-oauth-sql-injection.html<p>Zabbix takes data from an external OAuth server's response and drops it straight into a SQL <code>UPDATE</code> statement with zero escaping. When we reported this, Zabbix dismissed it as a non-issue because "an admin has to configure the OAuth provider." That defense points at the wrong end of the data flow.</p><p>Zabbix is one of the most widely deployed open source monitoring platforms, used by everyone from small shops to large enterprises to keep an eye on servers, networks, and applications. A central Zabbix server collects metrics from across the fleet, evaluates alerting rules, and sends notifications when something goes wrong. Because it sits in the middle of all that infrastructure and holds the credentials to reach it, the Zabbix server is a high value target: whoever controls it has a foothold into much of the environment it watches.</p>
<p>We recently found a SQL injection in the Zabbix server's OAuth2 token refresh path. The injected values come directly from an external HTTP response, not from user input. Yet, when we reported the vulnerability, Zabbix declined to treat it as a security issue. Their rationale? An administrator has to configure the OAuth media type in the first place.</p>
<p>But the privilege to select an OAuth endpoint is not the same as the privilege to supply the bytes that get executed in your database. This post breaks down the bug, the data flow, and why "you need an admin" is an answer to a question nobody asked.</p>
<h2>The bug</h2>
<p>When an Email media type is configured with OAuth2 authentication and the access token expires, Zabbix server POSTs to the configured token endpoint to refresh it. It then takes the <code>access_token</code> and <code>refresh_token</code> strings out of the JSON response and writes them into the database.</p>
<p>Here is the write, in <code>src/libs/zbxalerter/oauth.c</code>, lines 301 to 307:</p>
<div class="highlight"><pre><span></span><code><span class="n">zbx_db_execute</span><span class="p">(</span><span class="s">"update media_type_oauth set"</span>
<span class="w"> </span><span class="s">" access_token='%s',access_token_updated="</span><span class="w"> </span><span class="n">ZBX_FS_TIME_T</span><span class="w"> </span><span class="s">","</span>
<span class="w"> </span><span class="s">"access_expires_in=%d,refresh_token='%s',tokens_status=%hhu"</span>
<span class="w"> </span><span class="s">" where mediatypeid="</span><span class="n">ZBX_FS_UI64</span><span class="p">,</span>
<span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token_updated</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_expires_in</span><span class="p">,</span>
<span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">refresh_token</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">tokens_status</span><span class="p">,</span>
<span class="w"> </span><span class="n">mediatypeid</span><span class="p">);</span>
</code></pre></div>
<p><code>data->access_token</code> and <code>data->refresh_token</code> are parsed straight out of the OAuth server's JSON response (<code>oauth.c:248-264</code>) and handed to <code>zbx_db_execute()</code> with no escaping at all. The <code>else</code> branch at lines 311 to 317 has the same problem for <code>access_token</code>.</p>
<p>The MySQL connection is opened with <code>CLIENT_MULTI_STATEMENTS</code>, so this is not limited to breaking the one UPDATE. An attacker who controls the response can append stacked queries: <code>INSERT</code>, <code>UPDATE</code>, <code>DELETE</code>, anything the database user can do.</p>
<p>The call chain is short and fully automatic:</p>
<ol>
<li><code>alert_manager.c:491</code>, the alerter processes an email alert that uses an OAuth2 media type</li>
<li><code>oauth.c:400</code>, the token is detected as expired</li>
<li><code>oauth.c:408</code>, <code>oauth_access_refresh()</code> POSTs to <code>token_url</code> from the database</li>
<li><code>oauth.c:242-264</code>, the JSON response is parsed and <code>access_token</code> / <code>refresh_token</code> are taken as-is</li>
<li><code>oauth.c:413</code>, <code>oauth_db_update()</code> is called with the unescaped values</li>
<li><code>oauth.c:301-307</code>, the values are interpolated into SQL and executed</li>
</ol>
<p>Nobody clicks anything. A trigger fires, an alert gets queued, the token happens to be expired (OAuth access tokens usually live minutes to hours), and the refresh runs on its own.</p>
<p>We belive this is a definitly bug, not a design choice, but you don't have to take our threat model on faith; Zabbix's own code disagrees with their triage. Look anywhere else in this codebase where data hits SQL, and you will find it passing through <code>zbx_db_dyn_escape_string()</code>. It is heavily utilized throughout <code>dbconn.c</code> for this exact reason.</p>
<h2>Why "an admin sets the OAuth URL" is the wrong objection</h2>
<p>Zabbix's position is that configuring an Email media type (including setting the token endpoint) requires Admin rights. That is true, but it only gates the <em>destination</em>. It controls the URL Zabbix will talk to, not the data that comes back.</p>
<p>These are two entirely different trust boundaries, and the injection lives firmly on the second one:</p>
<ul>
<li><strong>Boundary 1 (Configuration):</strong> The admin controls where Zabbix sends the refresh request. This is trusted and restricted to administrators.</li>
<li><strong>Boundary 2 (Execution):</strong> The injected SQL comes from the response body, the tokens returned by whatever is listening at that URL. That data crosses the network on every single refresh, and it is untrusted by definition.</li>
</ul>
<p>The attacker exploiting this doesn't need to be the Zabbix admin.</p>
<h2>Why it is a critical issue</h2>
<p>A successful injection grants arbitrary SQL execution as the Zabbix database user. With stacked queries enabled, an attacker can read every credential and secret in the database, alter monitoring data, manipulate alert states, trivially create a backdoor administrator by inserting a record directly into the <code>users</code> table, or possibly execute arbitrary code.</p>
<p>Our proof of concept spun up Zabbix 8.0.0beta2, MySQL, and a hostile OAuth server. We seeded an Email media type pointing at our server and let the alerter do its job. The hostile server returned an <code>access_token</code> carrying a stacked <code>INSERT</code> statement.</p>
<div class="highlight"><pre><span></span><code>=== Users BEFORE injection ===
userid username passwd
1 Admin $2y$10$92nDno4n0Zm7Ej7Jfsz8WukBfgSS/U0QkIuu8WkJPihXBb2A1UrEK
2 guest $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06
[+] New admin appeared!
=== Users AFTER injection ===
userid username passwd
1 Admin $2y$10$92nDno4n0Zm7Ej7Jfsz8WukBfgSS/U0QkIuu8WkJPihXBb2A1UrEK
2 guest $2y$10$89otZrRNmde97rIyzclecuk6LwKAsHN0BcvoOKGjbT.BwMBfm7G06
9999 backdoor $2y$10$92nDno4n0Zm7Ej7Jfsz8WukBfgSS/U0QkIuu8WkJPihXBb2A1UrEK
</code></pre></div>
<p>Full database write on a monitoring server is about as high as impact gets, because a monitoring server already has reach into the rest of your fleet. Pair that with a reachability path that needs no Zabbix credentials at all (a provider compromise), and "not a security issue" is not a defensible call.</p>
<h2>The fix</h2>
<p>Escape <code>access_token</code> and <code>refresh_token</code> with <code>zbx_db_dyn_escape_string()</code> before they are passed to <code>zbx_db_execute()</code> in <code>oauth_db_update()</code>, in both the <code>if</code> and <code>else</code> branches at lines 301 to 307 and 311 to 317. This is the same function the rest of the database layer already uses:</p>
<div class="highlight"><pre><span></span><code><span class="n">diff</span><span class="w"> </span><span class="o">--</span><span class="n">git</span><span class="w"> </span><span class="n">a</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">libs</span><span class="o">/</span><span class="n">zbxalerter</span><span class="o">/</span><span class="n">oauth</span><span class="p">.</span><span class="n">c</span><span class="w"> </span><span class="n">b</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">libs</span><span class="o">/</span><span class="n">zbxalerter</span><span class="o">/</span><span class="n">oauth</span><span class="p">.</span><span class="n">c</span>
<span class="n">index</span><span class="w"> </span><span class="n">dadca8f</span><span class="p">..</span><span class="n">b008c49</span><span class="w"> </span><span class="mi">100644</span>
<span class="o">---</span><span class="w"> </span><span class="n">a</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">libs</span><span class="o">/</span><span class="n">zbxalerter</span><span class="o">/</span><span class="n">oauth</span><span class="p">.</span><span class="n">c</span>
<span class="o">+++</span><span class="w"> </span><span class="n">b</span><span class="o">/</span><span class="n">src</span><span class="o">/</span><span class="n">libs</span><span class="o">/</span><span class="n">zbxalerter</span><span class="o">/</span><span class="n">oauth</span><span class="p">.</span><span class="n">c</span>
<span class="err">@@</span><span class="w"> </span><span class="mi">-294</span><span class="p">,</span><span class="mi">17</span><span class="w"> </span><span class="o">+</span><span class="mi">294</span><span class="p">,</span><span class="mi">29</span><span class="w"> </span><span class="err">@@</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="n">oauth_db_update</span><span class="p">(</span><span class="n">zbx_uint64_t</span><span class="w"> </span><span class="n">mediatypeid</span><span class="p">,</span><span class="w"> </span><span class="n">zbx_oauth_data_t</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">in</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="p">{</span>
<span class="o">+</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">access_token_esc</span><span class="p">;</span>
<span class="o">+</span>
<span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">tokens_status</span><span class="w"> </span><span class="o">|=</span><span class="w"> </span><span class="p">(</span><span class="n">ZBX_OAUTH_TOKEN_ACCESS_VALID</span><span class="w"> </span><span class="o">|</span><span class="w"> </span><span class="n">ZBX_OAUTH_TOKEN_REFRESH_VALID</span><span class="p">);</span>
<span class="o">+</span><span class="w"> </span><span class="cm">/* access_token and refresh_token originate from the external OAuth server response, */</span>
<span class="o">+</span><span class="w"> </span><span class="cm">/* so they must be escaped before being interpolated into the SQL statement */</span>
<span class="o">+</span><span class="w"> </span><span class="n">access_token_esc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zbx_db_dyn_escape_string</span><span class="p">(</span><span class="n">data</span><span class="o">-></span><span class="n">access_token</span><span class="p">);</span>
<span class="o">+</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">(</span><span class="nb">NULL</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">old_refresh_token</span><span class="p">)</span><span class="w"> </span><span class="cm">/* data->refresh_token has changed */</span>
<span class="w"> </span><span class="p">{</span>
<span class="o">+</span><span class="w"> </span><span class="kt">char</span><span class="w"> </span><span class="o">*</span><span class="n">refresh_token_esc</span><span class="p">;</span>
<span class="o">+</span>
<span class="o">+</span><span class="w"> </span><span class="n">refresh_token_esc</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">zbx_db_dyn_escape_string</span><span class="p">(</span><span class="n">data</span><span class="o">-></span><span class="n">refresh_token</span><span class="p">);</span>
<span class="o">+</span>
<span class="w"> </span><span class="n">zbx_db_execute</span><span class="p">(</span><span class="s">"update media_type_oauth set"</span>
<span class="w"> </span><span class="s">" access_token='%s',access_token_updated="</span><span class="w"> </span><span class="n">ZBX_FS_TIME_T</span><span class="w"> </span><span class="s">","</span>
<span class="w"> </span><span class="s">"access_expires_in=%d,refresh_token='%s',tokens_status=%hhu"</span>
<span class="w"> </span><span class="s">" where mediatypeid="</span><span class="n">ZBX_FS_UI64</span><span class="p">,</span>
<span class="o">-</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token_updated</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_expires_in</span><span class="p">,</span>
<span class="o">-</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">refresh_token</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">tokens_status</span><span class="p">,</span>
<span class="o">+</span><span class="w"> </span><span class="n">access_token_esc</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token_updated</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_expires_in</span><span class="p">,</span>
<span class="o">+</span><span class="w"> </span><span class="n">refresh_token_esc</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">tokens_status</span><span class="p">,</span>
<span class="w"> </span><span class="n">mediatypeid</span><span class="p">);</span>
<span class="o">+</span>
<span class="o">+</span><span class="w"> </span><span class="n">zbx_free</span><span class="p">(</span><span class="n">refresh_token_esc</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="k">else</span>
<span class="w"> </span><span class="p">{</span>
<span class="err">@@</span><span class="w"> </span><span class="mi">-312</span><span class="p">,</span><span class="mi">10</span><span class="w"> </span><span class="o">+</span><span class="mi">324</span><span class="p">,</span><span class="mi">12</span><span class="w"> </span><span class="err">@@</span><span class="w"> </span><span class="k">static</span><span class="w"> </span><span class="kt">void</span><span class="w"> </span><span class="n">oauth_db_update</span><span class="p">(</span><span class="n">zbx_uint64_t</span><span class="w"> </span><span class="n">mediatypeid</span><span class="p">,</span><span class="w"> </span><span class="n">zbx_oauth_data_t</span><span class="w"> </span><span class="o">*</span><span class="n">data</span><span class="p">,</span><span class="w"> </span><span class="n">in</span>
<span class="w"> </span><span class="s">" access_token='%s',access_token_updated="</span><span class="w"> </span><span class="n">ZBX_FS_TIME_T</span><span class="w"> </span><span class="s">","</span>
<span class="w"> </span><span class="s">"access_expires_in=%d,tokens_status=%hhu"</span>
<span class="w"> </span><span class="s">" where mediatypeid="</span><span class="n">ZBX_FS_UI64</span><span class="p">,</span>
<span class="o">-</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token_updated</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_expires_in</span><span class="p">,</span>
<span class="o">+</span><span class="w"> </span><span class="n">access_token_esc</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_token_updated</span><span class="p">,</span><span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">access_expires_in</span><span class="p">,</span>
<span class="w"> </span><span class="n">data</span><span class="o">-></span><span class="n">tokens_status</span><span class="p">,</span>
<span class="w"> </span><span class="n">mediatypeid</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="o">+</span>
<span class="o">+</span><span class="w"> </span><span class="n">zbx_free</span><span class="p">(</span><span class="n">access_token_esc</span><span class="p">);</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">}</span>
</code></pre></div>
<h2>Closing remarks</h2>
<p>We reported this vulnerability in good faith, providing a fully functional proof of concept. Zabbix concluded it was not a security issue because setting up the OAuth provider requires an administrator.</p>
<p>We disagree. Their reasoning treats the privilege to <em>choose</em> an endpoint as the privilege to <em>control</em> that endpoint's responses.</p>
<p><em>Affected version: Zabbix 8.0.0beta2, commit <code>31eccf9ddaf7adf129f9cd611c85b7451b188eb9</code>.</em></p>