Executive Summary

CVE-2026-34248 is a low-severity information disclosure vulnerability in Zammad version 7.0.0, a web-based open source helpdesk system. The issue occurs in the ticket detail view for customers who belong to shared organizations, where customers can see each other's tickets.

Due to improper access control, customers could view ticket fields that were not intended for them, including internal-use fields such as priority and custom ticket attributes. However, they could not modify these fields.

This vulnerability was fixed in version 7.0.1.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized customers within shared organizations to view sensitive ticket information that is meant for internal use only, such as priority levels and custom ticket attributes.

While they cannot modify this information, the unauthorized disclosure could lead to information leakage, potentially exposing internal processes or priorities.

The impact is limited to confidentiality with no effect on data integrity or system availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized viewing of internal ticket fields by customers within shared organizations in Zammad versions prior to 7.0.1.

Detection would involve verifying if customers in shared organizations can access ticket fields that are not intended for them, such as priority or custom internal ticket attributes.

Since this is an application-level access control issue, network-level commands alone may not detect it directly.

A practical approach is to test the application by logging in as a customer user within a shared organization and attempting to view tickets opened by other users in the same organization to see if restricted fields are visible.

No specific commands are provided in the available resources for automated detection.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Zammad version 7.0.1.

The immediate mitigation step is to upgrade Zammad to version 7.0.1 or later.

Until the upgrade is applied, consider restricting or disabling shared organizations functionality if possible to prevent customers from viewing each other's tickets.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows customers within shared organizations to view ticket fields not intended for them, including internal-use fields such as priority and custom ticket attributes. Although they cannot modify these fields, the unauthorized disclosure of information represents a failure in access control.

Such unauthorized information disclosure could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect confidentiality and privacy.

Since the vulnerability involves improper access control leading to low-severity information disclosure, organizations using affected versions of Zammad might face compliance risks if sensitive or personal data is exposed to unauthorized users.

Useful 0 Not Useful 0