https://moltenbit.net/tags/zammad/ Recent content in Zammad on moltenbit Hugo -- 0.147.2 en-us Wed, 08 Apr 2026 12:00:00 +0100 https://moltenbit.net/posts/bypassing-zammad-ai-text-tool-authorization-via-rest-api/ Wed, 08 Apr 2026 12:00:00 +0100 https://moltenbit.net/posts/bypassing-zammad-ai-text-tool-authorization-via-rest-api/ <p>Zammad 7.0 shipped in March 2026 with a set of new AI features, including customizable &ldquo;text tools&rdquo; that let agents use LLM-powered writing assistance within tickets. Admins can restrict these tools to specific groups, so only the Sales team gets the Sales prompt, and so on.</p> <p>I audited the 7.0 codebase shortly after release and found two independent authorization failures in the REST endpoint used to execute AI text tools. One bug let an agent invoke tools outside their allowed group scope. The second let the same endpoint resolve unauthorized context objects into the prompt template. As a result, data from tickets outside the agent&rsquo;s access scope could end up in the AI prompt and potentially in the returned model output.</p> <p>Zammad patched this in 7.0.1. The findings resulted in two CVEs: <a href="https://github.com/zammad/zammad/security/advisories/GHSA-96r7-29c8-2j7q">CVE-2026-34782</a> for the text tool authorization bypass and <a href="https://github.com/zammad/zammad/security/advisories/GHSA-89vv-6639-wcv8">CVE-2026-34837</a> for the context data IDOR.</p> <p>A third finding from the same audit, a CSRF in OAuth callback endpoints (<a href="https://github.com/zammad/zammad/security/advisories/GHSA-mfwp-hx66-626c">CVE-2026-34721</a>), was also patched in 7.0.1 and backported to 6.5.4, but is not covered in this post.</p>