Zammad 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
一般的な弱点パターンには vendor risk ssrf、パス処理の欠陥、vendor risk open redirect, and vendor risk input validation があり、vendor surface production workloads and vendor surface software deployment の利用場面で vendor impact session compromise、ファイル上書き, and vendor impact unexpected behavior などのリスクが生じる可能性があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-34837 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context | [email protected] | 5.3 | 0.18% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34782 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the REST endpoint POST /api/v1/ai_assistance/text_tools/:id was not checking if a user is privileged to use the text tool, resulting in being able to use it in all situations. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 5.3 | 0.17% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34724 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, a server-side template injection vulnerability which leads to RCE via AI Agent exists. Impact is limited to environments where an attacker can control or influence type_enrichment_data (typically high-privilege administrative configuration). This vulnerability is fixed in 7.0.1. | [email protected] | 8.7 | 0.26% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34723 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 8.7 | 0.44% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34722 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 6.9 | 0.17% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34721 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 5.9 | 0.10% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34720 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 2.3 | 0.10% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34719 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and | [email protected] | 8.3 | 0.24% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34718 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the HTML sanitizer for ticket articles was missing proper sanitization of data: ... URI schemes, resulting in storing such malicious content in the database of the Zammad instance. The Zammad GUI is rendering this content, due to applied CSP rules no harm was done by e.g., clicking such a link. This vulnerability is fixed in 7.0.1 and 6.5.4. | [email protected] | 5.3 | 0.15% | 2026-04-08 | 2026-06-17 |
| CVE-2026-34248 | Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in | [email protected] | 2.1 | 0.19% | 2026-04-08 | 2026-06-17 |
| CVE-2025-32360 | In Zammad 6.4.x before 6.4.2, there is information exposure. Only agents should be able to see and work on shared article drafts. However, a logged in customer was able to see details about shared drafts for their customer tickets in the browser console, which may contain confidential information, and also to manipulate them via API. | [email protected] | 4.2 | 0.17% | 2025-04-05 | 2026-06-17 |
| CVE-2025-32359 | In Zammad 6.4.x before 6.4.2, there is client-side enforcement of server-side security. When changing their two factor authentication configuration, users need to re-authenticate with their current password first. However, this change was enforced in Zammad only on the front end level, and not when using the API directly. | [email protected] | 4.8 | 0.24% | 2025-04-05 | 2026-06-17 |
| CVE-2025-32358 | In Zammad 6.4.x before 6.4.2, SSRF can occur. Authenticated admin users can enable webhooks in Zammad, which are triggered as POST requests when certain conditions are met. If a webhook endpoint returned a redirect response, Zammad would follow it automatically with another GET request. This could be abused by an attacker to cause GET requests for example in the local network. | [email protected] | 4.0 | 0.18% | 2025-04-05 | 2026-06-17 |
| CVE-2025-32357 | In Zammad 6.4.x before 6.4.2, an authenticated agent with knowledge base permissions was able to use the Zammad API to fetch knowledge base content that they have no permission for. | [email protected] | 4.3 | 0.16% | 2025-04-05 | 2026-06-17 |
| CVE-2024-55578 | Zammad before 6.4.1 places sensitive data (such as auth_microsoft_office365_credentials and application_secret) in log files. | [email protected] | 4.3 | 0.28% | 2024-12-08 | 2026-06-17 |
| CVE-2024-36078 | In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user). | [email protected] | 6.7 | 0.20% | 2024-05-19 | 2026-06-17 |
| CVE-2024-33668 | An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | [email protected] | 9.1 | 0.44% | 2024-04-25 | 2026-06-17 |
| CVE-2024-33667 | An issue was discovered in Zammad before 6.3.0. An authenticated agent could perform a remote Denial of Service attack by calling an endpoint that accepts a generic method name, which was not properly sanitized against an allowlist. | [email protected] | 6.5 | 0.56% | 2024-04-25 | 2026-06-17 |
| CVE-2024-33666 | An issue was discovered in Zammad before 6.3.0. Users with customer access to a ticket could have accessed time accounting details of this ticket via the API. This data should be available only to agents. | [email protected] | 8.6 | 0.52% | 2024-04-25 | 2026-06-17 |
| CVE-2023-50457 | An issue was discovered in Zammad before 6.2.0. When listing tickets linked to a knowledge base answer, or knowledge base answers of a ticket, a user could see entries for which they lack permissions. | [email protected] | 4.3 | 0.41% | 2023-12-10 | 2026-06-17 |