Security Release

Zammad 7.0.1 & 6.5.4

April 8, 2026 · Our latest security updates address vulnerabilities in Zammad versions 7.0 and 6.5. For users who cannot yet upgrade to version 7.0, we have provided back-portable fixes for version 6.5.

Read on for full details:

Recommended Resolution

SaaS Customers: No action is required. Your instances have already been patched and secured by our team.

Self-Hosted Installations: We strongly advise upgrading to the latest version of Zammad immediately to ensure your system is protected.

Zammad 7.0.1

For full technical details, please refer to the security advisories on GitHub.

Vulnerabilities patched

Information disclosure in ticket detail view of customers in shared organizations
https://github.com/zammad/zammad/security/advisories/GHSA-prww-84vh-w978
Incorrect access control in getting_started_controller
https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
Improper neutralization of script-related HTML tags in ticket articles
https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3
Improper access control in AI assistance controller for text tools
https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q
Server-Side Template Injection leading to RCE via AI Agent type_enrichment_data
https://github.com/zammad/zammad/security/advisories/GHSA-fg9w-jg8f-4j94
Missing authorization in AI assistance controller for context data used in text tools
https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8
Server-side request forgery (SSRF) via webhooks
https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75
Cross-site request forgery (CSRF) in OAuth callback endpoints
https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c
Origin validation error in SSO mechanism
https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7
Missing authorization in ticket create endpoint https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8

Zammad 6.5.4

For full technical details, please refer to the security advisories on GitHub.

Vulnerabilities patched

Incorrect access control in getting_started_controller
https://github.com/zammad/zammad/security/advisories/GHSA-hcm9-ch62-5727
Improper neutralization of script-related HTML tags in ticket articles
https://github.com/zammad/zammad/security/advisories/GHSA-c2cf-9fc7-jhf3
Server-side request forgery (SSRF) via webhooks
https://github.com/zammad/zammad/security/advisories/GHSA-2vgc-vfh2-rw75
Cross-site request forgery (CSRF) in OAuth callback endpoints
https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c
Origin validation error in SSO mechanism
https://github.com/zammad/zammad/security/advisories/GHSA-hcv6-w4h9-p2p7
Missing authorization in ticket create endpoint
https://github.com/zammad/zammad/security/advisories/GHSA-28m3-wwgv-ppw8

Infos

Technical Requirements
As a web-based application, Zammad requires an up-to-date browser. We support the latest stable versions of the following browsers:
- Firefox
- Chrome (and Chromium-based browsers such as Edge)
- Opera
- Safari
Advisories
Packages
Upgrade
Here you can find information on upgrading your Zammad installation:
- With Package
- With Docker
Changelogs
All improvements can be found in:
- Changelog 7.0.1
- Changelog 6.5.4

Together we turn your customers into fans.

Start free trial!