CVE-2025-26846: 
Linux Debian vulnerability analysis and mitigation

A security vulnerability (CVE-2025-26846) was discovered in Znuny, affecting versions from LTS 6.5.1 through 6.5.11, versions 7.0.1 through 7.1.3, and all versions of LTS 6.0. The vulnerability was disclosed on February 12, 2025, and involves incorrect permissions checking in the generic interface, allowing ticket attributes to be changed with read-only permission (Wiz Database).

The vulnerability is classified with a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue specifically involves a wrong permissions check in the generic interface of Znuny that allows modification of ticket attributes even with read-only permissions. The vulnerability is categorized as CWE-862 (Missing Authorization) (NVD, Wiz Database).

The vulnerability allows unauthorized modification of ticket attributes in the system, potentially compromising the integrity of ticket data when users with read-only permissions can make changes they shouldn't be allowed to perform (Wiz Database).

The issue has been addressed in newer versions of the software. Users are recommended to upgrade to patched versions. For Debian systems, fixed versions are available in trixie/non-free and sid/non-free with version 6.5.15-2. The vulnerability has been fixed in Znuny version 7.1.4 (Debian Tracker, NVD).