Security Release

Zammad 5.3.1

· This release note includes a really important security patch. All self-hosted instances are advised to update immediately.

Please read on for details:

Security Patch

An attacker could send a specially created message to the server, causing the message to be sent to all active front ends. While the front end responds to this payload, the attacker now can abuse the session and make malicious changes to the front end and the server.
Find the Advisory here: ZAA-2022-11

Non-Critical changes

Two other smaller vulnerabilities have been fixed that are not critical.
You can find the details in their Advisories

🏠 If you're using Zammad on-prem please update to 5.3.1 as soon as possible.
☁️ Hosted instances will be updated automatically, so there is no action required from your side.


You will find all improvements in the Changelog.

Download Zammad 5.3.1


Source code



You can find information on an upgrade of your Zammad installation here:


Node.js dependency

Please note that starting with Zammad 5.0 you'll need Node.js to run 'rake assets:precompile'.
This affects all source code installations and those who change javascript or stylesheet files in Zammad.

Find out more in our documentation.

Together we turn your customers into fans.
Start free trial!
All releases and news directly in your inbox.
Subscribe to the newsletter