CVE-2026-34721
Received Received - Intake
CSRF Vulnerability in Zammad OAuth Callback Endpoints

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34721
EUVD
EUVD-2026-20561
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zammad zammad 7.0.0
zammad zammad to 6.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34721 is a Cross-Site Request Forgery (CSRF) vulnerability in the OAuth callback endpoints of the Zammad helpdesk system versions prior to 7.0.1 and 6.5.4.

Specifically, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This means the system does not properly verify that requests come from legitimate users, allowing attackers to potentially perform unauthorized actions by exploiting this lack of verification.

The vulnerability was fixed by adding CSRF state parameter validation in versions 7.0.1 and 6.5.4.

Impact Analysis

This vulnerability can allow attackers to perform unauthorized actions on the Zammad system by exploiting the lack of CSRF state parameter validation in OAuth callback endpoints.

The impact includes a low confidentiality impact but a high integrity impact, meaning attackers could potentially manipulate or alter data or actions within the system without proper authorization.

The attack can be performed remotely over the network, requires low privileges, and does not require user interaction, making it a moderate risk.

Compliance Impact

The provided information does not specify how the CSRF vulnerability in Zammad's OAuth callback endpoints directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the OAuth callback endpoints in Zammad not validating a CSRF state parameter for Microsoft, Google, and Facebook external credentials. Detection would involve verifying whether the OAuth callback endpoints properly validate the CSRF state parameter.

Since the vulnerability is related to missing CSRF state parameter validation, one way to detect it is to monitor OAuth callback requests and check if the state parameter is being validated or enforced.

No specific commands or detection tools are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade Zammad to a fixed version where the vulnerability is addressed.

  • Upgrade to Zammad version 7.0.1 or later.
  • Alternatively, upgrade to version 6.5.4 or later if using the 6.5.x branch.

These versions include validation of the CSRF state parameter on OAuth callback endpoints, preventing exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart