CVE-2026-34721 Overview
Zammad, a web-based open source helpdesk and customer support system, contains a Cross-Site Request Forgery (CSRF) vulnerability in its OAuth callback endpoints for Microsoft, Google, and Facebook external credentials. Prior to versions 7.0.1 and 6.5.4, these OAuth callback endpoints fail to validate the CSRF state parameter, potentially allowing attackers to perform unauthorized actions on behalf of authenticated users.
Critical Impact
Attackers can potentially hijack OAuth authentication flows, leading to unauthorized account access or credential manipulation in Zammad helpdesk installations.
Affected Products
- Zammad versions prior to 7.0.1
- Zammad versions prior to 6.5.4
- Zammad installations using Microsoft, Google, or Facebook OAuth authentication
Discovery Timeline
- 2026-04-08 - CVE-2026-34721 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-34721
Vulnerability Analysis
This vulnerability (CWE-352: Cross-Site Request Forgery) exists in Zammad's OAuth authentication flow implementation. OAuth protocols use a state parameter as a security mechanism to prevent CSRF attacks during the authentication handshake. When a user initiates OAuth authentication with an external provider (Microsoft, Google, or Facebook), the application should generate a unique, unpredictable state value and verify it when the OAuth provider redirects back to the application's callback endpoint.
In vulnerable versions of Zammad, the OAuth callback endpoints for these external credential providers do not properly validate this CSRF state parameter. This oversight creates an opportunity for attackers to craft malicious requests that could manipulate the OAuth authentication process.
Root Cause
The root cause of this vulnerability is the missing validation logic for the OAuth state parameter in Zammad's callback handlers for Microsoft, Google, and Facebook authentication providers. The application accepts OAuth callback requests without verifying that the state parameter matches the value originally generated when the authentication flow was initiated. This architectural oversight in the OAuth implementation allows attackers to inject their own malicious callback requests into a victim's session.
Attack Vector
The attack requires network access and involves user interaction. An attacker must craft a malicious link containing a forged OAuth callback URL and trick an authenticated Zammad user into clicking it. The attack complexity is high as it requires precise timing and the victim must have an active session. If successful, the attacker could potentially link their own external account credentials to the victim's Zammad account or perform other unauthorized actions within the OAuth flow context.
The vulnerability specifically affects the OAuth callback endpoints handling external credential authentication for Microsoft, Google, and Facebook integrations. An attacker would need to:
- Understand the target Zammad instance's OAuth configuration
- Craft a malicious OAuth callback request without a valid state parameter
- Convince an authenticated user to trigger this request through social engineering
Detection Methods for CVE-2026-34721
Indicators of Compromise
- Unexpected OAuth account linkages in Zammad user profiles, particularly external credentials added without user knowledge
- Unusual authentication patterns involving Microsoft, Google, or Facebook OAuth providers
- Web server logs showing OAuth callback requests with missing or invalid state parameters
- Multiple OAuth callback requests in rapid succession from different source IPs for the same user session
Detection Strategies
- Monitor OAuth callback endpoint access logs (/auth/microsoft/callback, /auth/google/callback, /auth/facebook/callback) for requests with missing state parameters
- Implement Web Application Firewall (WAF) rules to detect suspicious OAuth callback patterns
- Review audit logs for unexpected changes to user external credentials or account associations
- Enable detailed logging on OAuth authentication flows to capture state parameter validation failures
Monitoring Recommendations
- Configure alerting for failed OAuth state validation attempts if logging is available in patched versions
- Monitor for unusual patterns in external credential additions across user accounts
- Implement session monitoring to detect cross-origin OAuth callback attempts
- Set up anomaly detection for OAuth-related API endpoint access patterns
How to Mitigate CVE-2026-34721
Immediate Actions Required
- Upgrade Zammad to version 7.0.1 or 6.5.4 immediately to address this vulnerability
- Review audit logs for any suspicious OAuth activity or unexpected external credential additions
- Notify users to review their connected external accounts (Microsoft, Google, Facebook) for unauthorized linkages
- Consider temporarily disabling OAuth authentication via external providers until patching is complete
Patch Information
Zammad has released security patches in versions 7.0.1 and 6.5.4 that properly validate the CSRF state parameter in OAuth callback endpoints. Organizations should update to these versions or later to remediate the vulnerability. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable Microsoft, Google, and Facebook OAuth authentication methods until patching can be completed
- Implement network-level access controls to restrict access to OAuth callback endpoints from untrusted sources
- Enable additional authentication factors for user accounts to reduce impact of potential OAuth hijacking
- Consider using alternative authentication methods such as SAML or local authentication until the patch is applied
# Verify Zammad version after upgrade
zammad run rails r "puts Version.get"
# Expected output should show 7.0.1, 6.5.4 or later
# If using Docker, verify with:
docker exec -it zammad-railsserver zammad run rails r "puts Version.get"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
