Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.
AnalysisAI
Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.
Technical ContextAI
Zammad implements OAuth 2.0 integration with third-party identity providers (Microsoft, Google, Facebook) to enable federated authentication. The vulnerability stems from missing CSRF state parameter validation in the OAuth callback endpoints, which are the critical redemption points where authorization codes are exchanged for access tokens. OAuth 2.0 specifies that the authorization server should return a state parameter matching the initial request to prevent CSRF attacks; without this validation (CWE-352: Cross-Site Request Forgery), an attacker can forge a callback request containing a legitimate authorization code obtained through a separate channel, potentially binding that code to a victim's session. The affected product is Zammad (CPE: cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*), a web-based open-source helpdesk platform that handles sensitive customer support data.
RemediationAI
Upgrade Zammad to version 7.0.1 (for 7.x deployments) or 6.5.4 (for 6.x deployments) to apply the CSRF state parameter validation fix. Both patched versions are now available from the Zammad project. If immediate patching is not feasible, review and audit OAuth callback endpoint logs for suspicious authorization requests, and consider temporarily disabling OAuth integration for Microsoft, Google, and Facebook until patches are deployed. Administrators should reference the official GitHub security advisory (https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c) for additional context and verification of fix integrity.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20561