Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: Server‑side request forgery (SSRF) leading to potential disclosure of internal or cloud metadata
Action: Immediate Patch
AI Analysis

Impact

Zammad’s webhook mechanism did not adequately validate URLs that could point back to the same server or to link‑local ranges, allowing attackers to trigger outbound HTTP/S requests from the helpdesk application. Through such requests, an attacker could cause the application to contact internal or cloud service endpoints and retrieve sensitive metadata, such as cloud instance identifiers or internal network information. The weakness is a classic SSRF vulnerability (CWE‑918) that can lead to information disclosure and potentially further compromise the host if internal services are exposed.

Affected Systems

The issue affects Zammad installations running any version before 7.0.1 or 6.5.4. The web‑hooks feature in these releases lacks proper validation of loop‑back and link‑local addresses. Users of the affected Zammad versions are vulnerable until they upgrade to the patched releases.

Risk and Exploitability

The CVSS score of 8.3 classifies the vulnerability as High severity. Although EPSS data is not available, the lack of protection against SSRF and the potential to reach internal resources make exploitation likely for an attacker with access to configure webhooks. The vulnerability is not listed in CISA’s KEV catalog, but the impact and availability of public advisories indicate that exploitation could occur in the wild. The attack vector is inferred to be via crafted webhook URLs that an attacker can supply through the Zammad UI or API, resulting in an outbound request from the application to an attacker‑controlled or internal endpoint.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zammad to version 7.0.1 or 6.5.4 where the webhook validation is fixed.
  • If an upgrade is not immediately possible, restrict outbound traffic from the Zammad host using firewall rules or a proxy to block loop‑back and link‑local IP ranges.
  • Configure the webhook settings to allow only explicitly whitelisted domains and enforce stricter URL validation.
  • Monitor webhook logs for unusual outbound activity or attempts to access internal services.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has a Server-side request forgery (SSRF) via webhooks
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:02:16.224Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34719

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:22.003

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:40Z

Weaknesses