Skip to main content

Zammad EUVDEUVD-2026-20560

| CVE-2026-34720 LOW
Origin Validation Error (CWE-346)
2026-04-08 GitHub_M
2.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.5.4,7.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20560
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:11 nvd
LOW 2.3

DescriptionGitHub Advisory

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4.

AnalysisAI

Zammad prior to versions 7.0.1 and 6.5.4 fails to validate that Single Sign-On (SSO) headers originate from trusted proxy/gateway sources before processing them, allowing authenticated attackers with particular preconditions to cause limited information disclosure. The vulnerability requires authentication, high attack complexity, and specific preconditions (AT:P in CVSS 4.0 vector), resulting in a low real-world risk profile despite network accessibility.

Technical ContextAI

The vulnerability resides in Zammad's SSO authentication mechanism, which implements header-based trust delegation to upstream proxy/gateway servers. The root cause is classified as CWE-346 (Origin Validation Error), meaning the application accepts SSO assertions from HTTP headers without cryptographic verification that those headers originated from a legitimate, pre-configured SSO proxy. In typical SSO architectures, a reverse proxy or API gateway (such as OAuth2 Proxy, Authentik, or Keycloak) sits between users and the application, and communicates authenticated user identity via trusted headers. Zammad's implementation appears to process these headers (likely X-Remote-User or similar conventions) without verifying the request path through the trusted proxy or validating header signatures, creating a scenario where a direct network client (bypassing the proxy or on the same network segment) could potentially craft malicious SSO headers. The affected product is identified by CPE cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*, encompassing all versions prior to the patched releases.

RemediationAI

Vendor-released patches: Zammad 7.0.1 and Zammad 6.5.4 both address this vulnerability. Users should upgrade to one of these versions or later according to their branch. For organizations unable to patch immediately, review SSO proxy configuration to ensure the proxy enforces strict network access controls (e.g., only the reverse proxy can connect directly to Zammad) and that Zammad is not exposed to direct internet access or untrusted networks. If possible, implement network segmentation so that only the trusted SSO gateway can reach Zammad on its application port. Refer to the GitHub Security Advisory at https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7 for additional guidance.

More in Zammad

View all
CVE-2017-5619 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated critical severity (CVS

CVE-2017-6080 CRITICAL
9.8 Mar 13

An issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1, caused by lack of a protecti

CVE-2022-35490 CRITICAL
9.8 Aug 08

Zammad 5.2.0 is vulnerable to privilege escalation. Rated critical severity (CVSS 9.8), this vulnerability is remotely e

CVE-2021-42090 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2021-42094 CRITICAL
9.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2020-26030 CRITICAL
9.8 Dec 28

An issue was discovered in Zammad before 3.4.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely explo

CVE-2024-33668 CRITICAL
9.1 Apr 26

An issue was discovered in Zammad before 6.3.0. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2022-27332 CRITICAL
9.1 Apr 27

An access control issue in Zammad v5.0.3 allows attackers to write entries to the CTI caller log without authentication.

CVE-2021-42091 CRITICAL
9.1 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely explo

CVE-2017-6081 HIGH
8.8 Mar 13

A CSRF issue was discovered in Zammad before 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Rated high severity (CVS

CVE-2021-42086 HIGH
8.8 Oct 07

An issue was discovered in Zammad before 4.1.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitab

CVE-2026-34723 HIGH
8.7 Apr 08

Unauthenticated remote information disclosure in Zammad helpdesk system versions before 7.0.1 and 6.5.4 allows attackers

Share

EUVD-2026-20560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy