Zammad has incorrect access control in getting_started_controller_CVE-2026-34723

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.

Basic Information

ID CVE-2026-34723

Source GitHub_M

Published Apr 8, 2026 at 18:14

Modified Apr 10, 2026 at 20:40

Affected Product

Vendor zammad

Product zammad

Version < 6.5.4

Affected Versions zammad zammad < 6.5.4
zammad zammad >= 7.0.0-alpha, < 7.0.1

CWE Classification

CWE-284

References

github.com /zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727

{
    "lastseen": "",
    "description": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.",
    "published": "2026-04-08T18:14:08.582Z",
    "modified": "2026-04-10T20:40:49.909Z",
    "type": "cve",
    "title": "Zammad has incorrect access control in getting_started_controller",
    "source": "GitHub_M",
    "references": "https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727",
    "id": "CVE-2026-34723",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "zammad zammad < 6.5.4\nzammad zammad >= 7.0.0-alpha, < 7.0.1",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "zammad",
    "version": "< 6.5.4",
    "vendor": "zammad",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}