Zammad has a Server-side request forgery (SSRF) via webhooks

8.3 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H

Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses — only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.

Basic Information

ID CVE-2026-34719

Source GitHub_M

Published Apr 8, 2026 at 18:02

Modified Apr 10, 2026 at 20:38

Affected Product

Vendor zammad

Product zammad

Version < 6.5.4

Affected Versions zammad zammad < 6.5.4
zammad zammad >= 7.0.0-alpha, < 7.0.1

CWE Classification

CWE-918

References

github.com /zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75

{
    "lastseen": "",
    "description": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the webhook model was missing a proper validation for loop back addresses, or link-local addresses \u2014 only the URL scheme (HTTP/HTTPS) as well as the hostname was checked. This could end up in retrieving confidential metadata of cloud/hosting providers. The existing check is now extended and is applied when configuring webhooks as well as triggering webhook jobs. This vulnerability is fixed in 7.0.1 and 6.5.4.",
    "published": "2026-04-08T18:02:16.224Z",
    "modified": "2026-04-10T20:38:50.653Z",
    "type": "cve",
    "title": "Zammad has a Server-side request forgery (SSRF) via webhooks",
    "source": "GitHub_M",
    "references": "https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75",
    "id": "CVE-2026-34719",
    "bulletinFamily": "",
    "cwe": [
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "zammad zammad < 6.5.4\nzammad zammad >= 7.0.0-alpha, < 7.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:H/SC:L/SI:N/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zammad",
    "version": "< 6.5.4",
    "vendor": "zammad",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Zammad has a Server-side request forgery (SSRF) via webhooks_CVE-2026-34719