Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1.
Published: 2026-04-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Exposure in AI Prompts
Action: Patch Now
AI Analysis

Impact

The Zammad helpdesk system contains a flaw in the REST endpoint used to call AI‑based text tools. An authenticated user with ticket.agent permission can submit context data—such as group or organization information—that is not checked for proper authorization before it is inserted into the AI prompt. As a result, sensitive data that the user should not access can be exposed through the AI assistance function. This vulnerability represents a typical missing authorization weakness, allowing unauthorized reading of confidential information.

Affected Systems

All installations of the open‑source Zammad helpdesk running releases earlier than version 7.0.1 are vulnerable, regardless of the environment or deployment size.

Risk and Exploitability

The flaw scores 5.3 on a standard severity scale, indicating moderate risk. No publicly available exploitation probability data are reported, and the issue is not catalogued as a widely exploited vulnerability. Exploitation requires the attacker to already possess a ticket.agent level account; the attack path is therefore internal and requires the ability to construct and send a request to the susceptible API endpoint. The potential impact is limited to confidentiality exposure, not integrity or availability.

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zammad to version 7.0.1 or later

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Zammad
Zammad zammad
Vendors & Products Zammad
Zammad zammad

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1.
Title Zammad is miissing authorization in AI assistance controller for context data used in text tools
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Zammad Zammad
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:52:03.644Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34837

cve-icon Vulnrichment

Updated: 2026-04-08T19:51:58.990Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:23.007

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:53Z

Weaknesses