CVE-2026-34721 - Vulnerability Details - OpenCVE

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.

Attack Vector Network

Attack Complexity High

Privileges Required Low

Attack Requirements Present

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Zammad	Zammad

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Zammad	Zammad

References

Link	Providers
https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c

History

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Zammad Zammad zammad
Vendors & Products		Zammad Zammad zammad

Wed, 08 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
Description		Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4.
Title		Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints
Weaknesses		CWE-352
References		https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c
Metrics		cvssV4_0 `{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T18:12:32.504Z

Updated: 2026-04-08T18:12:32.504Z

Reserved: 2026-03-30T18:41:20.753Z

Link: CVE-2026-34721

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:22.290

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-34721

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T20:12:38Z

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "id": "CVE-2026-34721", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:22.290", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0-alpha,7.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zammad", "source": "cna", "vendor": "zammad"}, "product": "zammad", "vendor": "zammad"}], "analysis": {"en": {"generated_at": "2026-04-08T19:51:26.864263+00:00", "value": {"mitigation_remediation": ["Upgrade to Zammad 7.0.1 or 6.5.4 to address the CSRF validation issue.", "If an upgrade cannot be performed immediately, restrict external access to the OAuth callback endpoints using firewall or web\u2011application configuration so that only trusted domains can initiate requests.", "Verify that your current installation validates the CSRF state parameter before accepting OAuth callbacks.", "Monitor the installation for signs of unauthorized OAuth usage and keep the vendor\u2019s advisories under review."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized account actions"}, "threat_synthesis": {"affected_systems": "The affected product is Zammad Zammad. Versions prior to 7.0.1 in the 7.x branch and prior to 6.5.4 in the 6.x branch are vulnerable. These releases were distributed as open\u2011source web applications that provide customer support functionality.", "description_and_impact": "The identified flaw resides in Zammad's OAuth callback endpoints for Microsoft, Google, and Facebook. Because the applications fail to verify the CSRF state parameter, an attacker can forge requests that the server will accept as legitimate. This permits the unauthorized execution of actions tied to an authenticated user, potentially resulting in compromised user sessions or unauthorized access to internal resources.", "risk_and_exploitability": "With a CVSS score of 5.9 the severity is moderate. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires an active HTTP session of a logged\u2011in user and a malicious site to issue a crafted request to the callback endpoint; this inference is drawn from the absence of state validation. An attacker who can coerce users into visiting a malicious host can exploit the vulnerability to perform unauthorized actions through the authenticated session."}}}}, "created": "2026-04-08T19:55:16.516604+00:00", "updated": "2026-04-08T20:12:38.165922+00:00", "vendors": ["zammad", "zammad$PRODUCT$zammad"]}