Platform
zammad
Component
zammad
Fixed in
6.5.5
7.0.1
CVE-2026-34721 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting Zammad, a web-based helpdesk/customer support system. This flaw allows attackers to potentially execute unauthorized actions within a user's account by manipulating OAuth callback endpoints. The vulnerability impacts versions 6.5.0 through 7.0.0-alpha, and specifically those prior to 7.0.1. A fix is available in versions 6.5.4 and 7.0.1.
An attacker could exploit this CSRF vulnerability to impersonate a legitimate user and perform actions on their behalf, such as creating or modifying tickets, changing user settings, or accessing sensitive customer data. The impact is amplified if the targeted user has administrative privileges, potentially granting the attacker control over the entire Zammad instance. This could lead to data breaches, system compromise, and disruption of support operations. The OAuth callback endpoints for Microsoft, Google, and Facebook are particularly vulnerable, making it possible to leverage existing user accounts with these providers.
This vulnerability was publicly disclosed on 2026-04-08. There are currently no known public exploits or active campaigns targeting this specific vulnerability. It is not listed on CISA KEV as of this writing. The ease of exploitation is moderate, as it requires social engineering to trick a user into clicking a malicious link.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation is to upgrade Zammad to version 6.5.4 or 7.0.1, which includes the necessary fix. If immediate upgrade is not feasible, consider implementing temporary workarounds such as enforcing strict CSRF protection on all OAuth callback endpoints. This can be achieved by adding a CSRF token validation mechanism to the callback handlers. Web Application Firewalls (WAFs) can also be configured to filter requests lacking a valid CSRF token. Regularly review Zammad's security configuration and ensure that all external authentication providers are properly secured.
Update Zammad to version 7.0.1 or higher, or to version 6.5.4 or higher. These versions fix the CSRF vulnerability in the OAuth callback endpoints by correctly validating the CSRF state parameter.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34721 is a Cross-Site Request Forgery (CSRF) vulnerability in Zammad helpdesk versions 6.5.0 through 7.0.0-alpha and before 7.0.1, allowing attackers to perform unauthorized actions.
You are affected if you are running Zammad versions 6.5.0 through 7.0.0-alpha, or versions prior to 7.0.1. Check your Zammad version and upgrade accordingly.
Upgrade Zammad to version 6.5.4 or 7.0.1. Consider temporary workarounds like CSRF protection on OAuth endpoints if immediate upgrade is not possible.
As of now, there are no known public exploits or active campaigns targeting CVE-2026-34721.
Refer to the official Zammad security advisory for detailed information and updates: [https://community.zammad.com/t/security-advisory-cve-2026-34721/36367]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.