Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via unauthorized ticket creation
Action: Immediate Patch
AI Analysis

Impact

A missing authorization check on Zammad's ticket creation endpoint occurs when the optional parameter used to add links is present. Because this check is omitted, an unauthenticated user can create tickets that normally require proper permissions. The flaw is an access control weakness, classified as CWE‑862, and allows attackers to add tickets that could conceal sensitive information or serve as a foothold for further compromise. The impact is limited to ticket creation, but it can be leveraged to inject malicious content or obscure legitimate support issues.

Affected Systems

The vulnerability was present in Zammad versions earlier than 7.0.1 and 6.5.4. Users running those earlier releases of the Zammad helpdesk/customer support platform are affected. The issue was identified by Zammad's Security Advisory GHSA‑28m3‑wwgv‑ppw8.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. The likely attack vector is remote, via HTTP requests to the ticket creation endpoint with the link parameter. An attacker does not need any credentials to exploit the flaw, making the threat real if the system is exposed to untrusted users.

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your current Zammad installation version to determine if it predates 7.0.1 or 6.5.4.
  • Upgrade Zammad to version 7.0.1 or 6.5.4, the first releases that fix the authorization check.
  • After upgrading, confirm that the ticket creation endpoint now requires proper authentication and permissions.
  • If an upgrade cannot be applied immediately, remove or disable the link parameter in the ticket creation API or lock the endpoint to authorized users until the patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*
cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad is missing authorization in ticket create endpoint
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:51:42.966Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34722

cve-icon Vulnrichment

Updated: 2026-04-08T19:51:40.083Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T19:25:22.440

Modified: 2026-04-17T15:14:07.063

Link: CVE-2026-34722

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:56Z

Weaknesses