CVE-2026-34721
CSRF Vulnerability in Zammad OAuth Callback Endpoints
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zammad | zammad | 7.0.0 |
| zammad | zammad | to 6.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CSRF vulnerability in Zammad's OAuth callback endpoints directly affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-34721 is a Cross-Site Request Forgery (CSRF) vulnerability in the OAuth callback endpoints of the Zammad helpdesk system versions prior to 7.0.1 and 6.5.4.
Specifically, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This means the system does not properly verify that requests come from legitimate users, allowing attackers to potentially perform unauthorized actions by exploiting this lack of verification.
The vulnerability was fixed by adding CSRF state parameter validation in versions 7.0.1 and 6.5.4.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on the Zammad system by exploiting the lack of CSRF state parameter validation in OAuth callback endpoints.
The impact includes a low confidentiality impact but a high integrity impact, meaning attackers could potentially manipulate or alter data or actions within the system without proper authorization.
The attack can be performed remotely over the network, requires low privileges, and does not require user interaction, making it a moderate risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the OAuth callback endpoints in Zammad not validating a CSRF state parameter for Microsoft, Google, and Facebook external credentials. Detection would involve verifying whether the OAuth callback endpoints properly validate the CSRF state parameter.
Since the vulnerability is related to missing CSRF state parameter validation, one way to detect it is to monitor OAuth callback requests and check if the state parameter is being validated or enforced.
No specific commands or detection tools are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Zammad to a fixed version where the vulnerability is addressed.
- Upgrade to Zammad version 7.0.1 or later.
- Alternatively, upgrade to version 6.5.4 or later if using the 6.5.x branch.
These versions include validation of the CSRF state parameter on OAuth callback endpoints, preventing exploitation of this vulnerability.