Security Advisory
ZAA-2026-02
· Please read carefully and check if the version of your Zammad system is affected by this vulnerability. Please send us information regarding vulnerabilities in Zammad!
Security Advisory Details
- ID: ZAA-2026-02
- Date: 2026-03-04
- Title: Insertion of Sensitive Information into Log File
- Severity: low
- Product: Zammad 6.5.x
- Fixed in: Zammad 7.0.0 & 6.5.3
- References:
--> pending CVE assignment
Vulnerability Descriptions
Insertion of Sensitive Information into Log File
During startup, Zammad wrote the REDIS_URL environment variable's content to the log file. This variable may contain credentials information.
Special 🙏 and 🤘 and ❤️ to:
- N: Pauline Koch
- C: Simpego Versicherungen AG
- W: https://www.simpego.ch
Recommended Resolution
For our SaaS customers, there’s nothing you need to worry about: we’ve already taken care of everything for you.
For self hosted installations, we strongly advise admins to not only update but also review and, if necessary, clean up existing log data – including in any connected systems that process these logs.
Fixed releases can be found at:
Or just update your Zammad if installed via OS package manager.
Additional information
Online version of this advisory: https://zammad.com/en/advisories/zaa-2026-02
Please see our security policy and send remarks on security issues exclusively to security@zammad.com.