An issue exists in Zammad prior to 4.1.1. The REST API discloses sensitive information.
zammad zammad