MFA Bypass via Federated Login Paths
Zabbix MFA enforcement is bypassed when logging in via HTTP Basic Auth or SAML SSO paths, which create fully active sessions without triggering the MFA challenge.
- Vendor
- Zabbix
Summary
Zabbix's MFA enforcement is configured per user group, not per authentication method. The HTTP auth (index_http.php) and SAML SSO (index_sso.php) login paths call CUser::loginByUsername() which hardcodes ZBX_SESSION_ACTIVE, ignoring the user's mfaid entirely. This grants a fully active session with no MFA challenge using the same user account and password.
Affected Versions
- Zabbix (all versions with MFA support)
Details
Both CUser::login() and CUser::loginByUsername() compute mfaid from the same user group membership via addUserGroupFields(). However, loginByUsername() unconditionally passes ZBX_SESSION_ACTIVE to createSession(), discarding the MFA requirement:
login() → mfaid respected → createSession(CONFIRMATION_REQUIRED) ✓
loginByUsername() → mfaid ignored → createSession(ACTIVE) ✗
The root cause is in CUser.php:2416. The HTTP auth and SAML SSO entry points contain no references to mfaid or index_mfa.php.
Preconditions: - HTTP auth or SAML SSO enabled alongside internal auth - Victim user is in a group with MFA required - Global MFA enabled
Impact
Complete MFA bypass, provided HTTP auth or SAML is configured.
Remediation
No fix — Zabbix considers this not a security vulnerability.
Timeline
- 2026-06-06 — Disclosed to Zabbix
- 2026-06-08 — Zabbix responds: not a security vulnerability