Skip to main content

Zammad CVE-2026-34782

| EUVDEUVD-2026-20566 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20566
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:18 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4.

AnalysisAI

Bypass of access controls in Zammad REST API endpoint POST /api/v1/ai_assistance/text_tools/:id allows authenticated users to utilize AI text tools without proper privilege verification in versions prior to 7.0.1 and 6.5.4. An authenticated attacker can invoke AI assistance features regardless of their assigned permissions, leading to unauthorized consumption of text tool functionality and potential information disclosure through unrestricted tool access.

Technical ContextAI

Zammad is a web-based helpdesk and customer support platform implemented with a REST API architecture. The vulnerability exists in the AI assistance subsystem, specifically the text tools endpoint, which failed to implement proper authorization checks (CWE-862: Missing Authorization). The endpoint validates that a request is authenticated (requiring PR:L privilege level per CVSS vector) but does not verify whether the authenticated user has been explicitly granted permission to access specific text tools. This is a common authorization defect where authentication and authorization are conflated; the API verifies the user's identity but skips the secondary check of whether that user's role or permissions allow access to the requested resource. The vulnerability affects all versions of Zammad prior to the patched releases, spanning the 6.x and 7.x major version lines.

RemediationAI

Upgrade Zammad to version 7.0.1 or later for organizations running the 7.x branch, or upgrade to version 6.5.4 or later for organizations on the 6.x branch. These patched releases implement proper privilege verification in the AI text tools endpoint, ensuring that only users with explicit authorization can invoke text tool functionality. Administrators should review deployment documentation at https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q for upgrade procedures. As an interim measure, organizations unable to patch immediately should restrict API access to the POST /api/v1/ai_assistance/text_tools/:id endpoint at the network layer or through API gateway rules, allowing only authenticated users whose roles are intended to have text tool access.

More in Zammad

View all
CVE-2017-5619 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS

CVE-2017-6080 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti

CVE-2022-35490 CRITICAL
9.8 Aug 08

Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2021-42090 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2021-42094 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-26030 CRITICAL
9.8 Dec 28

An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-33668 CRITICAL
9.1 Apr 26

An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2022-27332 CRITICAL
9.1 Apr 27

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.

CVE-2021-42091 CRITICAL
9.1 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2017-6081 HIGH
8.8 Mar 13

A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS

CVE-2021-42086 HIGH
8.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2026-34723 HIGH
8.7 Apr 08

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers

Share

CVE-2026-34782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy