CVE-2025-26842 is a high-severity vulnerability affecting Znuny, an open-source ticketing system used for customer support and communication management. The vulnerability arises from improper access control in the handling of S/MIME encrypted email messages within the CommunicationLog feature. Specifically, users who do not have authorized access to a particular ticket can still view the content of S/MIME encrypted emails associated with that ticket if they have access to the CommunicationLog. This indicates a failure in enforcing authorization checks on sensitive encrypted message content, allowing unauthorized disclosure of confidential information. The vulnerability is classified under CWE-863 (Incorrect Authorization), highlighting that the system does not correctly restrict access to sensitive data based on user permissions. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability being remotely exploitable without authentication (AV:N/AC:L/PR:N/UI:N), and resulting in a complete confidentiality breach (C:H) without impacting integrity or availability. No patches or vendor-specific product versions are detailed, but the affected Znuny versions are up to 7.1.3. The vulnerability was published in May 2025, with no known exploits in the wild at the time of reporting.

For European organizations using Znuny for ticketing and customer communication, this vulnerability poses a significant risk to confidentiality. Unauthorized users with access to the CommunicationLog can access sensitive encrypted email content, potentially exposing private customer data, internal communications, or other confidential information protected by S/MIME encryption. This could lead to data breaches violating GDPR requirements, resulting in regulatory penalties and reputational damage. The exposure of encrypted email content undermines the trust in secure communication channels and may facilitate further social engineering or targeted attacks. Since Znuny is used across various sectors including government, finance, and healthcare in Europe, the impact could be widespread, especially where sensitive personal or business data is handled. The lack of required authentication for exploitation increases the risk of insider threats or lateral movement attacks within organizations. Although no integrity or availability impacts are noted, the confidentiality breach alone is critical given the nature of the data involved.

European organizations should immediately review access controls on the CommunicationLog feature within Znuny and restrict access strictly to authorized personnel. Implement role-based access control (RBAC) policies ensuring that only users with explicit ticket access can view associated communications. Until an official patch is released, consider disabling or limiting the use of CommunicationLog for S/MIME encrypted messages. Conduct audits to identify any unauthorized access to sensitive ticket communications. Enhance monitoring and alerting for unusual access patterns to ticket logs. Organizations should also educate users about the risk of exposing encrypted message content through improper access controls. Once a vendor patch or update becomes available, prioritize timely deployment. Additionally, consider encrypting sensitive ticket data at rest and in transit with strong cryptographic controls and segregate communication logs from general user access. Implement network segmentation to limit exposure of Znuny systems to trusted users only.