Skip to main content

Google CVE-2026-34721

| EUVDEUVD-2026-20561 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-04-08 GitHub_M
5.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.1,6.5.4
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20561
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:12 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.

AnalysisAI

Cross-site request forgery in Zammad OAuth callback endpoints for Microsoft, Google, and Facebook authentication allows authenticated attackers to hijack user sessions by crafting malicious requests that bypass CSRF state validation, potentially granting unauthorized access to user accounts and helpdesk data. The vulnerability affects Zammad versions prior to 7.0.1 and 6.5.4, and while no public exploit code has been identified, the attack requires user interaction and moderate attacker effort to execute successfully.

Technical ContextAI

Zammad implements OAuth 2.0 integration with third-party identity providers (Microsoft, Google, Facebook) to enable federated authentication. The vulnerability stems from missing CSRF state parameter validation in the OAuth callback endpoints, which are the critical redemption points where authorization codes are exchanged for access tokens. OAuth 2.0 specifies that the authorization server should return a state parameter matching the initial request to prevent CSRF attacks; without this validation (CWE-352: Cross-Site Request Forgery), an attacker can forge a callback request containing a legitimate authorization code obtained through a separate channel, potentially binding that code to a victim's session. The affected product is Zammad (CPE: cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*), a web-based open-source helpdesk platform that handles sensitive customer support data.

RemediationAI

Upgrade Zammad to version 7.0.1 (for 7.x deployments) or 6.5.4 (for 6.x deployments) to apply the CSRF state parameter validation fix. Both patched versions are now available from the Zammad project. If immediate patching is not feasible, review and audit OAuth callback endpoint logs for suspicious authorization requests, and consider temporarily disabling OAuth integration for Microsoft, Google, and Facebook until patches are deployed. Administrators should reference the official GitHub security advisory (https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c) for additional context and verification of fix integrity.

Share

CVE-2026-34721 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy