Zammad · Zammad · CVE-2020-26030
**Name of the Vulnerable Software and Affected Versions**
Zammad versions prior to 3.4.1
**Description**
An issue was discovered in the SSO endpoint of Zammad, allowing an authentication bypass via a crafted header when SSO is not configured. This enables an attacker to create a valid and authenticated session, which can be used to perform actions in the name of other users.
**Recommendations**
For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. As a temporary workaround, consider disabling the SSO endpoint until a patch is available. Restrict access to the SSO endpoint to minimize the risk of exploitation.