A vulnerability in the Sessions module has been successfully resolved. Due to a lack of input validation on the client_id parameter, an authenticated user could inject directory traversal sequences (../) to trigger a recursive deletion of arbitrary files and directories via FileUtils.rm_rfon the server. The deletion occurs as a side effect during session lookup (Sessions.get), before the controller returns any response and regardless of whether the lookup itself succeeds.

SaaS Customers: No action is required. Your instances have already been patched and secured by our team.

Self-Hosted Installations: We strongly advise upgrading to the latest version of Zammad immediately to ensure your system is protected.

⚠️ Important Note: anyone still using version 7.0 needs to switch to the stable-7.0 branch to receive the latest update.

Vulnerabilities patched

🚨 Important note on the update

  • Before updating, all self-hosted users with a package installation must migrate to the new package hosting by changing their repository configuration. The old repositories will only serve versions prior to 7.1.x and will be available for a short time before the service is shut down. For instructions on updating your package management, refer to the documentation.