Security Release

Zammad 5.2.1

· This security patch includes an update to a previous fix as well as the resolution of three new issues that came along with the 5.2 release. 🛡️
Please read on for details:

Security Patch Level Release 🔐

There is an update for the issue from 5.1.1. After the missing limit of the forgotten password function was added, further manipulation of the rate limit was still possible. As of 5.2.1, these manipulations are detected even better and manipulation is no longer possible.

After update 5.2, customers who have secondary organizations assigned could select with which organization they would like to create tickets. In the selection they could not only see their organizations but all organizations of the system.

We also received reports that Zammad's built-in prevention of brute force password guessing attacks could be bypassed partially. This gap has now been closed as well.

Lastly, Zammad did not correctly perform authorization for certain attachment endpoints. This could be abused by an unauthenticated attacker to gain access to attachments, such as emails or attached files.

Note: 🏠 Hosted instances will be updated automatically, so there is no action required from your side.


You can find the corresponding advisories here:


You will find all improvements in the Changelog.

Download Zammad 5.2.1


Source code



You can find information on an upgrade of your Zammad installation here:


Node.js dependency

Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.

Find out more in our documentation.

Together we turn your customers into fans.
Start free trial!
All releases and news directly in your inbox.
Subscribe to the newsletter