Security Advisory


· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!

Security Advisory Details

  • ID: ZAA-2021-02
  • Date: 06/08/2020
  • Title: Password written to logs when probing email connection
  • Severity: low
  • Product: Zammad 1.0.x up to 4.0.0
  • Fixed in: Zammad 4.0.1, 4.1.0
  • References:
    --> CVE: CVE-2021-35299

Vulnerability Descriptions

Password written to logs when probing email connection

Zammad comes with a functionality to automatically probe the email connection configuration. Whenever a full probing (inbound and outbound) connection configuration was probed successfully the valid credentials were logged to the Zammad application log file. This would allow an attacker to read the valid credentials when access to this file would be possible.

Special 🙏 and 🤘 and ❤️ to:

  • N: Axel Franz
  • C: Ray Sono AG

This vulnerability is fixed in the latest versions of Zammad and it is recommended to upgrade to one of these.

Fixed releases can be found at:

Additional information

Online version of this advisory:

Send all remarks to security issues to

Freuen Ihre Kunden sich schon auf die Service-Hotline?
Kostenlos testen!
Alle Neuigkeiten direkt in Ihrer Inbox!
Zum Newsletter anmelden