CVE-2026-34723
Unauthorized Access via Getting Started Endpoint in Zammad
Publication date: 2026-04-08
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zammad | zammad | 7.0.0 |
| zammad | zammad | to 6.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34723 is a high-severity vulnerability in the Zammad helpdesk system that allows unauthenticated remote attackers to access a sensitive internal endpoint called the "getting started" endpoint.
This happens because of improper access control in the getting_started_controller, which fails to restrict access even after the system setup is complete.
As a result, attackers can retrieve sensitive internal entity data without needing any authentication or user interaction.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive internal data from the Zammad system.
Since no authentication or privileges are required, remote attackers can exploit this flaw easily over the network.
The impact is primarily on confidentiality, as sensitive information can be exposed, but it does not affect system integrity or availability.
This exposure poses a significant security risk, potentially leading to data leaks or further exploitation based on the disclosed information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the 'getting started' endpoint of the Zammad system without authentication. To detect if your system is vulnerable, you can attempt to access this endpoint remotely without logging in.
A simple detection method is to send an HTTP request to the 'getting started' endpoint and check if sensitive internal entity data is returned without authentication.
- Use curl to test access: curl -v http://<zammad-server>/getting_started
- If the response contains sensitive internal data without requiring authentication, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Zammad to a fixed version where this vulnerability is resolved.
- Upgrade Zammad to version 7.0.1 or later, or 6.5.4 or later if using the 6.5.x branch.
Until the upgrade can be applied, consider restricting network access to the Zammad server to trusted users only, for example by firewall rules or network segmentation, to reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to access sensitive internal entity data due to improper access control. This unauthorized disclosure of sensitive information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access.
Because the vulnerability results in high confidentiality impact by exposing sensitive data without authentication, organizations using affected versions of Zammad may face increased risk of data breaches and regulatory violations if this flaw is exploited.