Skip to main content

Zammad CVE-2026-34837

| EUVDEUVD-2026-20568 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
7.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20568
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:20 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1.

AnalysisAI

Zammad versions prior to 7.0.1 fail to validate user authorization for context data supplied to the REST endpoint POST /api/v1/ai_assistance/text_tools/:id, allowing authenticated agents to access and leak unauthorized information (such as group or organization data) through AI prompt injection. The vulnerability requires the attacker to possess ticket.agent permission but does not require additional user interaction; no public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

The vulnerability exists in Zammad's AI assistance REST API endpoint, which accepts context data (groups, organizations, etc.) to be included in AI prompts without performing access control checks. The underlying issue is an authorization bypass rooted in CWE-862 (Missing Authorization), where the application fails to verify that the current user has permission to access the context resources before incorporating them into the AI processing pipeline. The affected product is the Zammad helpdesk platform (CPE: cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*), a web-based open-source customer support system that integrates AI functionality for text processing. The flaw allows a user with basic agent privileges to circumvent data access boundaries by leveraging the AI assistance feature as a vector to extract sensitive information that would normally be restricted by the application's role-based access control.

RemediationAI

Upgrade Zammad to version 7.0.1 or later to apply the vendor-released patch that restores authorization checks for context data in the AI assistance endpoint. The patch ensures that all context data (groups, organizations, etc.) supplied to the text_tools/:id endpoint are validated against the current user's access permissions before being included in AI prompts. Organizations unable to upgrade immediately should restrict access to the POST /api/v1/ai_assistance/text_tools/:id endpoint via network segmentation or WAF rules to users who do not require AI assistance functionality, and review logs for unauthorized context data access patterns. Refer to https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8 for official patching guidance and deployment notes.

More in Zammad

View all
CVE-2017-5619 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS

CVE-2017-6080 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti

CVE-2022-35490 CRITICAL
9.8 Aug 08

Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2021-42090 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2021-42094 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-26030 CRITICAL
9.8 Dec 28

An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-33668 CRITICAL
9.1 Apr 26

An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2022-27332 CRITICAL
9.1 Apr 27

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.

CVE-2021-42091 CRITICAL
9.1 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2017-6081 HIGH
8.8 Mar 13

A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS

CVE-2021-42086 HIGH
8.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2026-34723 HIGH
8.7 Apr 08

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers

Share

CVE-2026-34837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy