Security Release
Zammad 6.5.3
ยท Zammad 6.5.3 is a security release that provides all back-portable fixes for users of version 6.5 who cannot yet update to version 7.0.
Read on for all the details:
Insertion of Sensitive Information into Log File
A vulnerability was identified where Zammad recorded the REDIS_URL environment variable into log files during startup. This variable may contain credentials information.
๐ For more details, please refer to the Security Advisory ZAA-2026-02
Incorrect Access Control
Ticket customers were able to use the API to move their tickets to other groups they have no permissions for. This behavior has been corrected and is no longer possible.
๐ For more details, please refer to the Security Advisory ZAA-2026-03
Exposure of Sensitive Information to an Unauthorized Actor
Unauthorized users were able to use the API to get information about internal import status metadata. This is no longer possible.
๐ For more details, please refer to the Security Advisory ZAA-2026-04
Authorization Bypass Through User-Controlled Key
Authorized agent users were able to use the ticket_related endpoint to fetch asset data of arbitrary tickets, including customer and related user information. This is no longer the case.
๐ For more details, please refer to the Security Advisory ZAA-2026-05
SQL Injection
Due to improper SQL statement sanitization, authorized agent or customer users were able to use several API endpoints to inject custom statements to SQL queries. This could lead to the execution of unwanted operations on database level.
๐ For more details, please refer to the Security Advisory ZAA-2026-06
