CVE-2022-40816 is a medium-severity vulnerability affecting Zammad version 5.2.1, an open-source helpdesk and customer support platform. The vulnerability arises from incorrect access control in Zammad's asset handling mechanism. Specifically, the system is designed to prevent customer users from accessing personal information of other users. However, this protection fails when requests are made through a web socket connection. An authenticated attacker with a valid user account can exploit this flaw by querying the Zammad API over a web socket connection to retrieve personal data belonging to other users. This constitutes a breach of confidentiality, as sensitive user information can be exposed without proper authorization. The vulnerability does not affect integrity or availability, and no user interaction beyond authentication is required. The issue was addressed and fixed in Zammad version 5.2.2. The CVSS v3.1 base score is 6.5, reflecting a medium severity with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, requiring privileges, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact. No known exploits are reported in the wild as of the published date. The vulnerability is classified under CWE-863 (Incorrect Authorization).

For European organizations using Zammad 5.2.1 or earlier vulnerable versions, this vulnerability poses a significant risk to the confidentiality of user data managed within the helpdesk system. Since Zammad is often used to manage customer support tickets and internal communications, unauthorized access to personal information could lead to data breaches involving personally identifiable information (PII), potentially violating GDPR and other data protection regulations in Europe. The exposure of such data could result in reputational damage, regulatory fines, and loss of customer trust. Although the vulnerability requires an authenticated user, insider threats or compromised accounts could be leveraged to exploit this flaw. The lack of impact on integrity and availability limits the scope to data confidentiality, but the sensitive nature of the data involved elevates the risk. Organizations relying on Zammad for customer support should consider this vulnerability critical to address to maintain compliance and protect user privacy.

1. Immediate upgrade to Zammad version 5.2.2 or later, where the vulnerability is fixed, is the most effective mitigation. 2. Restrict access to the Zammad web socket API to trusted networks and users by implementing network segmentation and firewall rules. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of account compromise. 4. Monitor and audit user activities and API access logs for unusual or unauthorized data access patterns, especially over web socket connections. 5. Limit user privileges to the minimum necessary, applying the principle of least privilege to reduce the impact of compromised accounts. 6. If immediate upgrade is not feasible, consider disabling or restricting web socket access temporarily until the patch can be applied. 7. Conduct a thorough review of data exposure and notify affected users if a breach is suspected, in compliance with GDPR requirements.