Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery (SSRF) leading to potential disclosure of internal or cloud metadata
Action: Immediate Patch
AI Analysis

Impact

Zammad’s webhook mechanism did not adequately validate URLs that could point back to the same server or to link‑local ranges, allowing attackers to trigger outbound HTTP/S requests from the helpdesk application. Through such requests, an attacker could cause the application to contact internal or cloud service endpoints and retrieve sensitive metadata, such as cloud instance identifiers or internal network information. The weakness is a classic SSRF vulnerability (CWE‑918) that can lead to information disclosure and potentially further compromise the host if internal services are exposed.

Affected Systems

The issue affects Zammad installations running any version before 7.0.1 or 6.5.4. The web‑hooks feature in these releases lacks proper validation of loop‑back and link‑local addresses. Users of the affected Zammad versions are vulnerable until they upgrade to the patched releases.

Risk and Exploitability

The CVSS score of 8.3 classifies the vulnerability as High severity. Although EPSS data is not available, the lack of protection against SSRF and the potential to reach internal resources make exploitation likely for an attacker with access to configure webhooks. The vulnerability is not listed in CISA’s KEV catalog, but the impact and availability of public advisories indicate that exploitation could occur in the wild. The attack vector is inferred to be via crafted webhook URLs that an attacker can supply through the Zammad UI or API, resulting in an outbound request from the application to an attacker‑controlled or internal endpoint.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zammad to version 7.0.1 or 6.5.4 where the webhook validation is fixed.
  • If an upgrade is not immediately possible, restrict outbound traffic from the Zammad host using firewall rules or a proxy to block loop‑back and link‑local IP ranges.
  • Configure the webhook settings to allow only explicitly whitelisted domains and enforce stricter URL validation.
  • Monitor webhook logs for unusual outbound activity or attempts to access internal services.

Generated by OpenCVE AI on April 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*
cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has a Server-side request forgery (SSRF) via webhooks
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T20:38:50.653Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34719

cve-icon Vulnrichment

Updated: 2026-04-10T20:38:40.833Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T19:25:22.003

Modified: 2026-04-17T15:27:09.523

Link: CVE-2026-34719

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:40Z

Weaknesses