Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized account actions
Action: Immediate Patch
AI Analysis

Impact

The identified flaw resides in Zammad's OAuth callback endpoints for Microsoft, Google, and Facebook. Because the applications fail to verify the CSRF state parameter, an attacker can forge requests that the server will accept as legitimate. This permits the unauthorized execution of actions tied to an authenticated user, potentially resulting in compromised user sessions or unauthorized access to internal resources.

Affected Systems

The affected product is Zammad Zammad. Versions prior to 7.0.1 in the 7.x branch and prior to 6.5.4 in the 6.x branch are vulnerable. These releases were distributed as open‑source web applications that provide customer support functionality.

Risk and Exploitability

With a CVSS score of 5.9 the severity is moderate. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires an active HTTP session of a logged‑in user and a malicious site to issue a crafted request to the callback endpoint; this inference is drawn from the absence of state validation. An attacker who can coerce users into visiting a malicious host can exploit the vulnerability to perform unauthorized actions through the authenticated session.

Generated by OpenCVE AI on April 8, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Zammad 7.0.1 or 6.5.4 to address the CSRF validation issue.
  • If an upgrade cannot be performed immediately, restrict external access to the OAuth callback endpoints using firewall or web‑application configuration so that only trusted domains can initiate requests.
  • Verify that your current installation validates the CSRF state parameter before accepting OAuth callbacks.
  • Monitor the installation for signs of unauthorized OAuth usage and keep the vendor’s advisories under review.

Generated by OpenCVE AI on April 8, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T18:12:32.504Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34721

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:22.290

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34721

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:38Z

Weaknesses