Skip to main content

Zammad CVE-2026-34724

| EUVDEUVD-2026-20564 HIGH
Code Injection (CWE-94)
2026-04-08 GitHub_M
8.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
A
Scope
X

Lifecycle Timeline

8
Analysis Updated
Apr 17, 2026 - 15:12 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 17, 2026 - 15:07 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20564
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:17 nvd
HIGH 8.7

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1.

AnalysisAI

Remote code execution in Zammad 7.0.0 allows authenticated administrators with high-level privileges to inject malicious server-side templates through AI Agent configuration parameters, leading to arbitrary code execution on the helpdesk server. Exploitation requires administrative access to control type_enrichment_data settings and user interaction. Vendor-released patch version 7.0.1 is available. EPSS score of 0.04% indicates low exploitation probability in the wild; no public exploit identified at time of analysis.

Technical ContextAI

Zammad is an open-source Ruby on Rails-based helpdesk and customer support platform. This vulnerability stems from CWE-94 (Improper Control of Generation of Code), specifically server-side template injection (SSTI) in the AI Agent functionality introduced in version 7.0.0. The type_enrichment_data parameter, which configures AI-driven ticket enrichment features, lacks proper input sanitization before being processed by the template engine. When an attacker with administrative privileges crafts malicious template syntax within this configuration parameter, the Rails template engine (likely ERB - Embedded Ruby) evaluates the injected code server-side during AI Agent operations. This allows arbitrary Ruby code execution within the Zammad application context, inheriting the web application's permissions on the underlying operating system. The vulnerability is specific to the AI Agent feature set, which appears to be a recent addition to the platform.

RemediationAI

Immediately upgrade Zammad installations to version 7.0.1, which contains the vendor-released patch addressing the template injection flaw. The upgrade path is straightforward for version 7.0.0 users and detailed instructions are available in the GitHub security advisory at https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94. For environments where immediate patching is not feasible, implement compensating controls: disable AI Agent functionality entirely through the admin interface until patching is complete (this eliminates the vulnerable code path but removes AI-driven ticket enrichment features); restrict administrative console access to trusted IP ranges via firewall rules or reverse proxy ACLs (reduces attack surface but does not prevent exploitation by legitimate admins or if admin credentials are compromised); implement comprehensive audit logging of all changes to AI Agent configuration parameters, specifically monitoring type_enrichment_data modifications (enables detection but does not prevent exploitation); enforce mandatory multi-factor authentication for all administrative accounts (raises bar for credential compromise but adds operational overhead). Note that compensating controls only reduce risk and are not substitutes for patching. Organizations not using AI Agent features can verify the feature is disabled, which effectively eliminates vulnerability without service disruption.

More in Zammad

View all
CVE-2017-5619 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS

CVE-2017-6080 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti

CVE-2022-35490 CRITICAL
9.8 Aug 08

Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2021-42090 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2021-42094 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-26030 CRITICAL
9.8 Dec 28

An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-33668 CRITICAL
9.1 Apr 26

An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2022-27332 CRITICAL
9.1 Apr 27

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.

CVE-2021-42091 CRITICAL
9.1 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2017-6081 HIGH
8.8 Mar 13

A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS

CVE-2021-42086 HIGH
8.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2026-34723 HIGH
8.7 Apr 08

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers

Share

CVE-2026-34724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy