Authorization Flaw in Zammad Helpdesk System Exposes User Data
CVE-2026-34837

5.3MEDIUM

Key Information:

Vendor: Zammad
Status: Zammad
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34837?

The Zammad Helpdesk System prior to version 7.0.1 contains an authorization flaw within its REST endpoint POST /api/v1/ai_assistance/text_tools/:id. This issue allows unauthorized users to access and utilize context data, such as group or organization information, when generating AI prompts. Specifically, the permissions required (ticket.agent) to access this context data were not properly enforced, potentially exposing sensitive information to users without the necessary authorizations. The vulnerability has been resolved in version 7.0.1, highlighting the importance of keeping the software updated to mitigate security risks.

Affected Version(s)

zammad >= 7.0.0, < 7.0.1

References

https://github.com/zammad/zammad/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34837 Data

JSON