Skip to content

"CSRF token verification failed!" after updating to v15.5.2 / Zammad 7.1.1 #591

Description

@FlyingT

After updating three of our self-hosted instances to the newest release on Friday (26.06.2026), everything worked fine for the rest of the day. However, as of today (29.06.2026), we are unable to log in after logging out. The system throws a "CSRF token verification failed!" error. Notably, active sessions that did not log out continue to work without any issues.

Initially, accessing Zammad through either http://<IP-address>:8080 or https://ticket.domain.tld resulted in the exact same CSRF error.

Environment & Setup

  • Deployment: Docker Compose via Portainer as described in the official documentation
  • Nginx Proxy Manager sits in the same Docker network and points directly to the container name http://zammad-nginx-1:8080
  • Only Environment Variables set was ZAMMAD_FQDN = ticket.domain.tld

Workaround & Observations
I was able to partially solve the issue by explicitly adding NGINX_SERVER_SCHEME = https to the environment variables.

  • Accessing via https://ticket.domain.tld works again with this variable set.
  • Accessing via http://<IP-address>:8080 still fails with the CSRF error.
  • Setting the variable to $scheme did not resolve the issue.

As a side note regarding the Environment Variables Appendix: The documentation states that the default value for NGINX_SERVER_SCHEME is \$scheme. This is likely a typo and should probably be just $scheme without the backslash.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions