Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized use of AI text tools
Action: Immediate Patch
AI Analysis

Impact

Zammad’s REST endpoint POST /api/v1/ai_assistance/text_tools/:id lacks a privilege check before version 7.0.1 and 6.5.4, allowing any authenticated user to execute AI text tools regardless of role. This improper access control enables unauthorized use of the system’s AI capabilities by authenticated users.

Affected Systems

Systems running Zammad 7.0.0 or earlier, and 6.5.3 or earlier are affected. The vulnerability exists in the core web‑based helpdesk application and can be triggered through its API interface.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity. An attacker must be authenticated, but the exposed endpoint can be abused to misuse AI text tools. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog, indicating a moderate but lower exploitation likelihood.

Generated by OpenCVE AI on April 8, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zammad to version 7.0.1 or 6.5.4 or later where the privilege check is restored.

Generated by OpenCVE AI on April 8, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title Zammad has improper access control in AI assistance controller for text tools
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T14:22:06.575Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34782

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:22.867

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:54Z

Weaknesses