Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.
AnalysisAI
Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers to access sensitive internal entity data through exposed getting started endpoint. The vulnerability bypasses authentication controls, enabling unauthorized access to confidential system information post-setup. Attack vector is network-based with low complexity requiring no user interaction. No public exploit identified at time of analysis. CVSS 8.7 reflects high confidentiality impact.
Technical ContextAI
Root cause involves improper access control (CWE-284) on setup/initialization endpoint that fails to enforce authentication after system configuration completes. Getting started workflow endpoint remains accessible without credentials, exposing internal data structures and entity information that should be restricted to authenticated administrators post-deployment.
RemediationAI
Vendor-released patch: Zammad 7.0.1 (for 7.x deployments) and 6.5.4 (for 6.x deployments). Upgrade immediately to applicable patched version to eliminate unauthenticated endpoint exposure. No workarounds identified; patching is mandatory remediation. If immediate upgrade is infeasible, restrict network access to Zammad instances using firewall rules limiting exposure to trusted IP ranges until patching completes. Verify post-upgrade that getting started endpoint requires authentication. Advisory URL: https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS
An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti
Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e
An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo
An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo
An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.
An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo
A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS
An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab
Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20563