Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via forged SSO header
Action: Patch immediately
AI Analysis

Impact

The flaw in Zammad’s single sign‑on (SSO) mechanism lies in the omission of origin validation for the SSO header. As a result, an attacker who can forge this header has the potential to trick Zammad into accepting an authentication request on behalf of another user. The weakness is classified as CWE‑346, indicating that untrusted domain data is used without adequate validation. Though the CVSS score of 2.3 signals a low severity, the primary risk is that an attacker could impersonate a legitimate user or gain unauthorized access to the system’s functionality.

Affected Systems

All releases of Zammad prior to version 7.0.1 and 6.5.4 are affected. Updating to at least these minimum versions or newer ensures that the SSO header origin is properly verified and the vulnerability is mitigated.

Risk and Exploitability

With a CVSS of 2.3, the overall risk is low and the CVE is not listed in the CISA KEV catalog. EPSS information is not available. The likely attack vector is inferred to be a forged HTTP request containing a malicious SSO header that bypasses server‑side origin checks. No additional privileges or local access are required, and the vulnerability does not lead to code execution or data exfiltration beyond the scope of impersonation.

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Zammad to version 7.0.1 or 6.5.4 (or newer) to enforce proper origin validation of SSO headers.

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*
cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 09 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has an origin validation error in SSO mechanism
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T16:17:34.878Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34720

cve-icon Vulnrichment

Updated: 2026-04-09T15:01:56.263Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T19:25:22.150

Modified: 2026-04-17T15:25:11.850

Link: CVE-2026-34720

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:57Z

Weaknesses