Cyber Resilience

CVE-2026-34723

High

Published: 08 April 2026

Published
08 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 35.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34723 is a high-severity Improper Access Control (CWE-284) vulnerability in Zammad Zammad. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34723 is a vulnerability in Zammad, a web-based open source helpdesk and customer support system. In versions prior to 7.0.1 and 6.5.4, unauthenticated remote attackers can access the "getting started" endpoint to retrieve sensitive internal entity data, even after the system setup process is completed. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-284 (Improper Access Control).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation enables attackers to obtain high-impact confidentiality breaches by exposing sensitive internal entity data from the affected Zammad instances.

The vulnerability is addressed in Zammad releases 7.0.1 and 6.5.4. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was…

more

completed. This vulnerability is fixed in 7.0.1 and 6.5.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability allows unauthenticated remote access to sensitive data via public-facing web endpoint in Zammad, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34724Same product: Zammad Zammad
CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284

Affected Assets

zammad
zammad
7.0.0 · ≤ 6.5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly addressing the improper access control that allowed unauthenticated attackers to reach sensitive data via the getting started endpoint.

prevent

AC-14 mandates identification and control of actions permitted without authentication, preventing exposure of sensitive internal entity data through unauthenticated endpoints like the vulnerable getting started path.

prevent

SC-14 implements protections for nonpublic information at public access points, mitigating unauthorized remote access to sensitive data in publicly facing web applications such as Zammad.

References