CVE-2026-34723

High

Published: 08 April 2026

Published

08 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0006 17.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34723 is a high-severity Improper Access Control (CWE-284) vulnerability in Zammad Zammad. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly addressing the improper access control that allowed unauthenticated attackers to reach sensitive data via the getting started endpoint.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 mandates identification and control of actions permitted without authentication, preventing exposure of sensitive internal entity data through unauthenticated endpoints like the vulnerable getting started path.

SC-14 Public Access Protections good match

prevent

SC-14 implements protections for nonpublic information at public access points, mitigating unauthorized remote access to sensitive data in publicly facing web applications such as Zammad.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability allows unauthenticated remote access to sensitive data via public-facing web endpoint in Zammad, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Zammad is a web based open source helpdesk/customer support system. Prior to 7.0.1 and 6.5.4, unauthenticated remote attackers were able to access the getting started endpoint to get access to sensitive internal entity data, even after the system setup was…

completed. This vulnerability is fixed in 7.0.1 and 6.5.4.

Deeper analysisAI

CVE-2026-34723 is a vulnerability in Zammad, a web-based open source helpdesk and customer support system. In versions prior to 7.0.1 and 6.5.4, unauthenticated remote attackers can access the "getting started" endpoint to retrieve sensitive internal entity data, even after the system setup process is completed. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is linked to CWE-284 (Improper Access Control).

Unauthenticated attackers with network access can exploit this vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation enables attackers to obtain high-impact confidentiality breaches by exposing sensitive internal entity data from the affected Zammad instances.

The vulnerability is addressed in Zammad releases 7.0.1 and 6.5.4. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727.