Alert: Unplanned security update! (3.6 / 3.5)

Hello everyone :raising_hand_man:

Usually we don’t do this. But this was urgent: There is an unplanned security update available for the latest stable version of Zammad 3.6 and for 3.5.1. All previous versions of Zammad are also affected. We strongly encourage you to update your Zammad to the latest version ASAP.

What happened? Back in 2019 there was a security issue found in one of our dependencies that affects the session handling / authentication. Unfortunately the relevant CVE-2019-25025 was only reported on 5 March, 2021 - so roughly 2 years later. Usually we have some weeks time to adapt to newly-found issues and to prepare a dedicated security release. However, this time it’s not the case and we needed to act faster as this affects the authentication functionality. We’re not aware of any exploitations of this issue with regards to Zammad systems. To keep it this way, we wanted to let you know ASAP. All the hosted systems maintained by us in our commercial hosted service over at are already secured and have the fix deployed.

Any questions? Feel free to ask them here. We’re ready to answer them :slightly_smiling_face:

Best and stay safe,

PS: To get this kind information right into your mailbox, be sure to subscribe to the Zammad newsletter: