CVE-2026-34723
Received Received - Intake
Unauthorized Access via Getting Started Endpoint in Zammad

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-08
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34723
EUVD
EUVD-2026-20563
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
zammad zammad 7.0.0
zammad zammad to 6.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34723 is a high-severity vulnerability in the Zammad helpdesk system that allows unauthenticated remote attackers to access a sensitive internal endpoint called the "getting started" endpoint.

This happens because of improper access control in the getting_started_controller, which fails to restrict access even after the system setup is complete.

As a result, attackers can retrieve sensitive internal entity data without needing any authentication or user interaction.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive internal data from the Zammad system.

Since no authentication or privileges are required, remote attackers can exploit this flaw easily over the network.

The impact is primarily on confidentiality, as sensitive information can be exposed, but it does not affect system integrity or availability.

This exposure poses a significant security risk, potentially leading to data leaks or further exploitation based on the disclosed information.

Detection Guidance

This vulnerability involves unauthorized access to the 'getting started' endpoint of the Zammad system without authentication. To detect if your system is vulnerable, you can attempt to access this endpoint remotely without logging in.

A simple detection method is to send an HTTP request to the 'getting started' endpoint and check if sensitive internal entity data is returned without authentication.

  • Use curl to test access: curl -v http://<zammad-server>/getting_started
  • If the response contains sensitive internal data without requiring authentication, the system is vulnerable.
Mitigation Strategies

The primary mitigation step is to upgrade Zammad to a fixed version where this vulnerability is resolved.

  • Upgrade Zammad to version 7.0.1 or later, or 6.5.4 or later if using the 6.5.x branch.

Until the upgrade can be applied, consider restricting network access to the Zammad server to trusted users only, for example by firewall rules or network segmentation, to reduce exposure.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to access sensitive internal entity data due to improper access control. This unauthorized disclosure of sensitive information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.

Because the vulnerability results in high confidentiality impact by exposing sensitive data without authentication, organizations using affected versions of Zammad may face increased risk of data breaches and regulatory violations if this flaw is exploited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34723. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart