CVE-2026-34723
HIGHZammad has incorrect access control in getting_started_controller
Title source: cnaDescription
Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was completed. This vulnerability is fixed in 7.0.1 and 6.5.4.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
Scores
CVSS v3
7.5
EPSS
0.0044
EPSS Percentile
35.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-284
Status
published
Products (3)
zammad/zammad
7.0.0
zammad/zammad
< 6.5.4 (2 CPE variants)
zammad/zammad
>= 7.0.0-alpha, < 7.0.1
Published
Apr 08, 2026
Tracked Since
Apr 09, 2026