Security Advisory
ZAA-2025-07
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2025-07
- Date: 2025-09-24
- Title: Insertion of Sensitive Information into Log File
- Severity: low
- Product: Zammad 6.5.x
- Fixed in: Zammad 6.5.2
- References:
--> pending CVE assignment
Vulnerability Descriptions
Insertion of Sensitive Information into Log File
The admin interface of Zammad wrote sensitive information like private keys, certificates and passphrases to the Rails log.
Special 🙏 and 🤘 and ❤️ to:
- N: Lennart Mühlenmeier
- C: Gesellschaft für Freiheitsrechte e.V.
- W: https://www.freiheitsrechte.org/
Recommended Resolution
For our SaaS customers, there’s nothing you need to worry about: we’ve already taken care of everything for you.
For self hosted installations, we strongly advise admins to not only update but also review and, if necessary, clean up existing log data – including in any connected systems that process these logs.
If you want to check if something may have leaked, you can scan for parts of secrets that exist in your system (such as a part of API keys, S/MIME certificates, PGP keys etc.). Consider rotating secrets in case you might be affected.
Fixed releases can be found at:
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2025-07
Please see our security policy and send remarks on security issues exclusively to security@zammad.com.