Auth bypass in Zammad

CVE-2026-34722

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in…

Vulnerability class: Broken Access Control

EPSS: 0.000 (11.6th percentile) — read the EPSS interpretation.

Affected products

Zammad — versions < 6.5.4, >= 7.0.0-alpha, < 7.0.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8 (x_refsource_CONFIRM)