Zammad 6.5.x critical SQL injection via API endpoints

TL;DR — A critical SQL injection in Zammad 6.5.x lets authorized users inject custom SQL via API endpoints, potentially reading or modifying the entire database.

What happened

Zammad is an open-source helpdesk and customer support ticketing system used by organizations to manage support requests via web, email, and chat. Zammad published advisory ZAA-2026-06 describing a critical SQL injection in Zammad 6.5.x where improper SQL statement sanitization allows authorized agent or customer users to inject custom statements via several API endpoints, potentially enabling unwanted database operations.

The issue was discovered using the GitHub Security Lab Taskflow Agent and verified by GitHub Security Lab members — an interesting case of AI-assisted vulnerability discovery in production software.

SQL injection in ticketing/helpdesk platforms is particularly dangerous because these systems often hold sensitive customer data and internal communications.

Who is impacted

• Self-hosted Zammad 6.5.x deployments.
• Zammad SaaS customers do not need to take action — already patched.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
• Fixed releases are available via zammad.org, ftp.zammad.com, or your OS package manager.
• CVE assignment is pending per the advisory.