CVE-2026-34719

Name of the Vulnerable Software and Affected Versions Zammad versions prior to 7.0.1 and prior to 6.5.4

Description Zammad, a web-based open-source helpdesk/customer support system, had insufficient validation in its webhook model for loopback or link-local addresses. Only the URL scheme (HTTP/HTTPS) and hostname were checked, potentially allowing the retrieval of confidential metadata from cloud or hosting providers. The validation has been extended and is now applied during webhook configuration and job triggering.

Recommendations Update to Zammad version 7.0.1 or later. Update to Zammad version 6.5.4 or later.