After updating three of our self-hosted instances to the newest release on Friday (26.06.2026), everything worked fine for the rest of the day. However, as of today (29.06.2026), we are unable to log in after logging out. The system throws a "CSRF token verification failed!" error. Notably, active sessions that did not log out continue to work without any issues.
Initially, accessing Zammad through either http://<IP-address>:8080 or https://ticket.domain.tld resulted in the exact same CSRF error.
Environment & Setup
- Deployment: Docker Compose via Portainer as described in the official documentation
- Nginx Proxy Manager sits in the same Docker network and points directly to the container name
http://zammad-nginx-1:8080
- Only Environment Variables set was
ZAMMAD_FQDN = ticket.domain.tld
Workaround & Observations
I was able to partially solve the issue by explicitly adding NGINX_SERVER_SCHEME = https to the environment variables.
- Accessing via
https://ticket.domain.tld works again with this variable set.
- Accessing via
http://<IP-address>:8080 still fails with the CSRF error.
- Setting the variable to
$scheme did not resolve the issue.
As a side note regarding the Environment Variables Appendix: The documentation states that the default value for NGINX_SERVER_SCHEME is \$scheme. This is likely a typo and should probably be just $scheme without the backslash.
After updating three of our self-hosted instances to the newest release on Friday (26.06.2026), everything worked fine for the rest of the day. However, as of today (29.06.2026), we are unable to log in after logging out. The system throws a "CSRF token verification failed!" error. Notably, active sessions that did not log out continue to work without any issues.
Initially, accessing Zammad through either
http://<IP-address>:8080orhttps://ticket.domain.tldresulted in the exact same CSRF error.Environment & Setup
http://zammad-nginx-1:8080ZAMMAD_FQDN = ticket.domain.tldWorkaround & Observations
I was able to partially solve the issue by explicitly adding NGINX_SERVER_SCHEME = https to the environment variables.
https://ticket.domain.tldworks again with this variable set.http://<IP-address>:8080still fails with the CSRF error.$schemedid not resolve the issue.As a side note regarding the Environment Variables Appendix: The documentation states that the default value for NGINX_SERVER_SCHEME is
\$scheme. This is likely a typo and should probably be just$schemewithout the backslash.