{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34721", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T18:41:20.753Z", "datePublished": "2026-04-08T18:12:32.504Z", "dateUpdated": "2026-04-09T14:22:33.535Z"}, "containers": {"cna": {"title": "Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c"}], "affected": [{"vendor": "zammad", "product": "zammad", "versions": [{"version": "< 6.5.4", "status": "affected"}, {"version": ">= 7.0.0-alpha, < 7.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:12:32.504Z"}, "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "source": {"advisory": "GHSA-mfwp-hx66-626c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:22:26.863931Z", "id": "CVE-2026-34721", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:22:33.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Zammad has Cross-site request forgery (CSRF) in OAuth callback endpoints", "source": {"advisory": "GHSA-mfwp-hx66-626c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "zammad", "product": "zammad", "versions": [{"status": "affected", "version": "< 6.5.4"}, {"status": "affected", "version": ">= 7.0.0-alpha, < 7.0.1"}]}], "references": [{"url": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c", "name": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:12:32.504Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34721", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:22:26.863931Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-09T14:22:29.884Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34721", "state": "PUBLISHED", "dateUpdated": "2026-04-08T18:12:32.504Z", "dateReserved": "2026-03-30T18:41:20.753Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T18:12:32.504Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zammad:zammad:*:*:*:*:*:*:*:*", "matchCriteriaId": "5AC4AB35-4DD1-43F8-B481-27640E70CF8A", "versionEndExcluding": "6.5.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:zammad:zammad:7.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "830AF7C5-9441-4C80-935E-C53BDB097BB1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, the OAuth callback endpoints for Microsoft, Google, and Facebook external credentials do not validate a CSRF state parameter. This vulnerability is fixed in 7.0.1 and 6.5.4."}], "id": "CVE-2026-34721", "lastModified": "2026-04-17T15:23:43.820", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:22.290", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.5.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0.0-alpha,7.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "zammad", "source": "cna", "vendor": "zammad"}, "product": "zammad", "vendor": "zammad"}], "analysis": {"en": {"generated_at": "2026-04-08T19:51:26.864263+00:00", "value": {"mitigation_remediation": ["Upgrade to Zammad 7.0.1 or 6.5.4 to address the CSRF validation issue.", "If an upgrade cannot be performed immediately, restrict external access to the OAuth callback endpoints using firewall or web\u2011application configuration so that only trusted domains can initiate requests.", "Verify that your current installation validates the CSRF state parameter before accepting OAuth callbacks.", "Monitor the installation for signs of unauthorized OAuth usage and keep the vendor\u2019s advisories under review."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized account actions"}, "threat_synthesis": {"affected_systems": "The affected product is Zammad Zammad. Versions prior to 7.0.1 in the 7.x branch and prior to 6.5.4 in the 6.x branch are vulnerable. These releases were distributed as open\u2011source web applications that provide customer support functionality.", "description_and_impact": "The identified flaw resides in Zammad's OAuth callback endpoints for Microsoft, Google, and Facebook. Because the applications fail to verify the CSRF state parameter, an attacker can forge requests that the server will accept as legitimate. This permits the unauthorized execution of actions tied to an authenticated user, potentially resulting in compromised user sessions or unauthorized access to internal resources.", "risk_and_exploitability": "With a CVSS score of 5.9 the severity is moderate. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack requires an active HTTP session of a logged\u2011in user and a malicious site to issue a crafted request to the callback endpoint; this inference is drawn from the absence of state validation. An attacker who can coerce users into visiting a malicious host can exploit the vulnerability to perform unauthorized actions through the authenticated session."}}}}, "created": "2026-04-08T19:55:16.516604+00:00", "updated": "2026-04-08T20:12:38.165922+00:00", "vendors": ["zammad", "zammad$PRODUCT$zammad"]}