CVE-2026-34837

Zammad is miissing authorization in AI assistance controller for context data used in text tools

Assigner: GitHub_M
Reserved: 30.03.2026 Published: 08.04.2026 Updated: 08.04.2026

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1, he REST endpoint POST /api/v1/ai_assistance/text_tools/:id contains an authorization failure. Context data (e.g., a group or organization) supplied to be used in the AI prompt were not checked if they are accessible for the current user. This leads to having data present in the AI prompt that were not authorized before being used. A user needs to have ticket.agent permission to be able to use the provided context data. This vulnerability is fixed in 7.0.1.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 5.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

Product Status

Vendor	zammad
Product	zammad
Versions	Version >= 7.0.0, < 7.0.1 is affected

Vendor

zammad

Product

zammad

Versions

Version >= 7.0.0, < 7.0.1 is affected

References

Problem Types

CWE-862: Missing Authorization CWE

CVE-2026-34837 PUBLISHED

Zammad is miissing authorization in AI assistance controller for context data used in text tools

Metrics

Product Status

References

Problem Types