Auth bypass in Zammad

CVE-2026-34837

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be u…

Vulnerability class: Broken Access Control

EPSS: 0.000 (10.5th percentile) — read the EPSS interpretation.

Affected products

Zammad — versions >= 7.0.0, < 7.0.1

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8 (x_refsource_CONFIRM)