{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34720", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.753Z", "datePublished": "2026-04-08T18:11:23.538Z", "dateUpdated": "2026-04-09T16:17:34.878Z"}, "containers": {"cna": {"title": "Zammad has an origin validation error in SSO mechanism", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 2.3, "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7"}], "affected": [{"vendor": "zammad", "product": "zammad", "versions": [{"version": "< 6.5.4", "status": "affected"}, {"version": ">= 7.0.0-alpha, < 7.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:11:23.538Z"}, "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "source": {"advisory": "GHSA-hcv6-w4h9-p2p7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T15:01:50.133000Z", "id": "CVE-2026-34720", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T16:17:34.878Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34720", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T15:01:50.133000Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T15:01:56.263Z"}}], "cna": {"title": "Zammad has an origin validation error in SSO mechanism", "source": {"advisory": "GHSA-hcv6-w4h9-p2p7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 2.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "zammad", "product": "zammad", "versions": [{"status": "affected", "version": "< 6.5.4"}, {"status": "affected", "version": ">= 7.0.0-alpha, < 7.0.1"}]}], "references": [{"url": "https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7", "name": "https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:11:23.538Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34720", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:17:34.878Z", "dateReserved": "2026-03-30T18:41:20.753Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T18:11:23.538Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC4AB35-4DD1-43F8-B481-27640E70CF8A", "versionEndExcluding": "6.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "830AF7C5-9441-4C80-935E-C53BDB097BB1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the SSO mechanism in Zammad was not verifying the header originates from a trusted SSO proxy/gateway before applying further actions on it. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "id": "CVE-2026-34720", "lastModified": "2026-04-17T15:25:11.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.3, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:22.150", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0-alpha,7.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zammad", "source": "cna", "vendor": "zammad"}, "product": "zammad", "vendor": "zammad"}], "analysis": {"en": {"generated_at": "2026-04-08T20:23:30.510106+00:00", "value": {"mitigation_remediation": ["Update Zammad to version 7.0.1 or 6.5.4 (or newer) to enforce proper origin validation of SSO headers."], "summary": {"action": "Patch immediately", "impact": "Unauthorized access via forged SSO header"}, "threat_synthesis": {"affected_systems": "All releases of Zammad prior to version 7.0.1 and 6.5.4 are affected. Updating to at least these minimum versions or newer ensures that the SSO header origin is properly verified and the vulnerability is mitigated.", "description_and_impact": "The flaw in Zammad\u2019s single sign\u2011on (SSO) mechanism lies in the omission of origin validation for the SSO header. As a result, an attacker who can forge this header has the potential to trick Zammad into accepting an authentication request on behalf of another user. The weakness is classified as CWE\u2011346, indicating that untrusted domain data is used without adequate validation. Though the CVSS score of 2.3 signals a low severity, the primary risk is that an attacker could impersonate a legitimate user or gain unauthorized access to the system\u2019s functionality.", "risk_and_exploitability": "With a CVSS of 2.3, the overall risk is low and the CVE is not listed in the CISA KEV catalog. EPSS information is not available. The likely attack vector is inferred to be a forged HTTP request containing a malicious SSO header that bypasses server\u2011side origin checks. No additional privileges or local access are required, and the vulnerability does not lead to code execution or data exfiltration beyond the scope of impersonation."}}}}, "created": "2026-04-08T20:12:39.236529+00:00", "updated": "2026-04-09T08:27:57.421185+00:00", "vendors": ["zammad", "zammad$PRODUCT$zammad"]}