Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is due to an incorrect access control check in Zammad's getting_started_controller. An unauthenticated remote attacker can invoke the getting_started endpoint and retrieve sensitive internal entity data that should be protected. The weakness is a classic access control violation, identified as CWE-284.

Affected Systems

Affected by the Zammad help‑desk application before releases 7.0.1 and 6.5.4. Any deployment of Zammad older than those patch versions is vulnerable.

Risk and Exploitability

The CVSS base score of 8.7 marks this flaw as high severity. The EPSS score of 0.00044 indicates a very low likelihood of exploitation, but the flaw is still technically simple to exploit: a remote attacker can send a request to the exposed endpoint without authentication, likely via a web browser or HTTP client. The vulnerability is not listed in the CISA KEV catalog, yet the potential for data exposure remains significant.

Generated by OpenCVE AI on April 18, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zammad to version 7.0.1 or newer (or 6.5.4 or newer).
  • Verify that the /getting_started endpoint is no longer accessible to unauthenticated users.
  • If upgrading is not immediately possible, restrict network access to the /getting_started endpoint using firewall rules or a web application firewall.

Generated by OpenCVE AI on April 18, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*
cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has incorrect access control in getting_started_controller
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T20:40:49.909Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34723

cve-icon Vulnrichment

Updated: 2026-04-10T20:40:40.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T19:25:22.580

Modified: 2026-04-17T15:10:09.747

Link: CVE-2026-34723

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses