Security Release

Zammad 5.1.1

· This release fixes some minor issues regarding the password and forgot-password feature. Self-hosted users are urged to perform an update to 5.1.1 to eliminate this bug. 🛡️
Please read below for details:

Security Patch Level Release 🔐

Due to a missing length restriction, users could configure extremely long user passwords when setting up an account for Zammad. A password that is too long can cause server problems during encryption which eventually leads to a denial of service.
We now added the missing length restriction.

There was no limit for the forgot-password function, for how many times this procedure can be done in what time span. An attacker could send a mass of requests in a short time, spamming the victim as well as risking a server overload.
We have solved this by setting a time limit in which only a limited number of requests can be sent. If these are used up, a certain amount of time must pass before new requests can be sent.

Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.


You can find the corresponding advisories here:


You will find all improvements in the Changelog.

Download Zammad 5.1.1


Source code



You can find information on an upgrade of your Zammad installation here:


Node.js dependency

Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.

Find out more in our documentation.

Together we turn your customers into fans.
Start free trial!
All releases and news directly in your inbox.
Subscribe to the newsletter