CVE-2026-34248
Information Disclosure in Zammad Shared Organization Tickets Prior to
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zammad | zammad | 7.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34248 is a low-severity information disclosure vulnerability in Zammad version 7.0.0, a web-based open source helpdesk system. The issue occurs in the ticket detail view for customers who belong to shared organizations, where customers can see each other's tickets.
Due to improper access control, customers could view ticket fields that were not intended for them, including internal-use fields such as priority and custom ticket attributes. However, they could not modify these fields.
This vulnerability was fixed in version 7.0.1.
How can this vulnerability impact me? :
This vulnerability allows unauthorized customers within shared organizations to view sensitive ticket information that is meant for internal use only, such as priority levels and custom ticket attributes.
While they cannot modify this information, the unauthorized disclosure could lead to information leakage, potentially exposing internal processes or priorities.
The impact is limited to confidentiality with no effect on data integrity or system availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized viewing of internal ticket fields by customers within shared organizations in Zammad versions prior to 7.0.1.
Detection would involve verifying if customers in shared organizations can access ticket fields that are not intended for them, such as priority or custom internal ticket attributes.
Since this is an application-level access control issue, network-level commands alone may not detect it directly.
A practical approach is to test the application by logging in as a customer user within a shared organization and attempting to view tickets opened by other users in the same organization to see if restricted fields are visible.
No specific commands are provided in the available resources for automated detection.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in Zammad version 7.0.1.
The immediate mitigation step is to upgrade Zammad to version 7.0.1 or later.
Until the upgrade is applied, consider restricting or disabling shared organizations functionality if possible to prevent customers from viewing each other's tickets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows customers within shared organizations to view ticket fields not intended for them, including internal-use fields such as priority and custom ticket attributes. Although they cannot modify these fields, the unauthorized disclosure of information represents a failure in access control.
Such unauthorized information disclosure could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect confidentiality and privacy.
Since the vulnerability involves improper access control leading to low-severity information disclosure, organizations using affected versions of Zammad might face compliance risks if sensitive or personal data is exposed to unauthorized users.