Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1.
Published: 2026-04-08
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

A weakness categorized as CWE-284 allows customers in a shared organization to view internal ticket fields that are not intended for them. The flaw arose in Zammad prior to version 7.0.1, when the detail view of a ticket opened by a user could expose fields such as priority and custom internal attributes to other organization members with customer permissions. The impact is a confidentiality breach; attackers can see sensitive information but cannot modify or delete it.

Affected Systems

The affected product is the Zammad help‑desk platform. All releases before 7.0.1 are vulnerable. Versions 7.0.1 and later contain the patch.

Risk and Exploitability

The CVSS base score is 2.1, indicating low severity. There is no evidence that the vulnerability has been exploited in public or that it is listed in the KEV catalog, and its EPSS score is unavailable. Exploitation requires only an authenticated customer who belongs to a shared organization and opens a ticket from another member of the same group; no additional privileges or specialized conditions are needed. Because normal usage of the application suffices, the vulnerability is straightforward to activate.

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zammad to version 7.0.1 or later
  • Verify that the ticket detail view no longer displays internal fields for customer users in shared organizations
  • Check the vendor’s website or release notes for any additional security advisories related to this issue

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1.
Title Zammad has an information disclosure in ticket detail view of customers in shared organizations
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:17:40.442Z

Reserved: 2026-03-26T16:22:29.035Z

Link: CVE-2026-34248

cve-icon Vulnrichment

Updated: 2026-04-09T15:02:15.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T19:25:21.567

Modified: 2026-04-17T15:48:48.110

Link: CVE-2026-34248

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:58Z

Weaknesses