Zammad advisory ZAA-2026-06: critical SQL injection in Zammad 6.5.x (fixed in 7.0.0)

What happened

Zammad published security advisory ZAA-2026-06 (dated 2026-03-04) describing a critical SQL injection issue in Zammad 6.5.x.

According to the advisory, improper SQL statement sanitization allowed authorized agent or customer users to use several API endpoints to inject custom statements into SQL queries, potentially enabling unwanted operations at the database level.

Zammad notes the issue was discovered using the GitHub Security Lab Taskflow Agent and manually verified by GitHub Security Lab members Peter Stöckli and Man Yue Mo.

Who is impacted

Self-hosted Zammad deployments running Zammad 6.5.x are affected. The advisory states that Zammad SaaS customers do not need to take action because Zammad has already addressed it for them.

What to do now

• If you run self-hosted Zammad 6.5.x, upgrade to Zammad 7.0.0 (the advisory lists 7.0.0 as the fixed version).
• Zammad indicates fixed releases are available via zammad.org, ftp.zammad.com, or your OS package manager (if that is how you installed Zammad).

Additional Information

• Advisory ID: ZAA-2026-06
• Severity: critical
• Status: CVE assignment pending (per the advisory).