Executive Summary

CVE-2026-34719 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Zammad helpdesk system versions prior to 7.0.1 and 6.5.4.

The vulnerability arises because the webhook model did not properly validate loopback or link-local IP addresses, only checking the URL scheme (HTTP/HTTPS) and hostname.

This flaw allows an attacker with high privileges to configure or trigger webhooks that make unauthorized internal network requests, potentially retrieving confidential metadata from cloud or hosting providers.

The issue is fixed by extending validation checks during webhook configuration and execution to block requests to loopback and link-local addresses.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker with elevated privileges to exploit webhooks to access sensitive internal resources or confidential metadata from cloud or hosting providers.

The attack requires no user interaction and has low complexity, making it easier for privileged attackers to execute.

While the confidentiality impact is considered low, the vulnerability can cause high availability impact, potentially disrupting service.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves Server-Side Request Forgery (SSRF) in the Zammad webhook model, where webhooks can be configured or triggered to access loopback or link-local addresses without proper validation.

To detect this vulnerability on your system, you should check the version of Zammad installed and review webhook configurations and logs for suspicious requests targeting internal IP addresses (such as 127.0.0.1 or link-local addresses).

Suggested commands include:

• Check Zammad version to verify if it is vulnerable (versions prior to 7.0.1 and 6.5.4): - sudo zammad run rails r 'puts Zammad::VERSION'
• Search webhook configuration files or database entries for URLs pointing to loopback or link-local addresses (e.g., 127.0.0.1, 169.254.x.x): - grep -rE '(127\.0\.0\.1|169\.254\.|localhost)' /path/to/zammad/config
• Monitor network traffic or logs for outgoing HTTP/HTTPS requests from Zammad to internal IP ranges: - sudo tcpdump -i any host 127.0.0.1 or net 169.254.0.0/16
• Review application logs for webhook job executions that may indicate SSRF attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Zammad to a patched version where this vulnerability is fixed.

• Upgrade Zammad to version 7.0.1 or later, or 6.5.4 or later, where the webhook validation properly restricts loopback and link-local addresses.
• Review and restrict webhook configurations to ensure no URLs point to internal or loopback addresses.
• Limit privileges to only trusted users to reduce the risk of an attacker with high privileges exploiting this vulnerability.
• Monitor webhook activity and logs for suspicious or unauthorized webhook job executions.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers with high privileges to exploit the webhook functionality to access confidential metadata of cloud or hosting providers by bypassing insufficient validation of loopback and link-local addresses.

Such unauthorized access to sensitive internal resources could potentially lead to exposure of confidential data, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding sensitive information.

However, the vulnerability has a low confidentiality impact and requires high privileges to exploit, which may limit the scope of compliance risks depending on the environment and controls in place.

Useful 0 Not Useful 0