Skip to main content

osTicket CVE-2026-14871

| EUVDEUVD-2026-45186 HIGH
Incorrect Authorization (CWE-863)
2026-07-17 Fluid Attacks
7.1
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable AJAX endpoint with low complexity, requires a valid low-privilege account (PR:L), unauthorized ticket read gives high confidentiality impact with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 17, 2026 - 16:00 vuln.today
Analysis Generated
Jul 17, 2026 - 16:00 vuln.today
CVE Published
Jul 17, 2026 - 14:55 cve.org
HIGH 7.1

DescriptionCVE.org

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.

AnalysisAI

Unauthorized ticket data disclosure in osTicket v1.18.3 and v1.17.7 allows an authenticated low-privilege user to access tickets belonging to other users by manipulating object identifiers in the AJAX ticket-management endpoints. The flaw stems from missing per-object authorization checks (BOLA/IDOR) rather than a coding error in the request handler. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain authenticated osTicket account
Delivery
Open own ticket via AJAX endpoint
Exploit
Capture object identifier in request
Execution
Substitute/enumerate other ticket IDs
Persist
Retrieve unauthorized ticket contents
Impact
Exfiltrate sensitive support data

Vulnerability AssessmentAI

Exploitation The attacker must hold a valid authenticated osTicket session (CVSS PR:L) - the flaw is reachable only after login, not by anonymous users. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) describes a network-reachable, low-complexity attack requiring low privileges and no user interaction, with high confidentiality impact but no integrity or availability impact - consistent with unauthorized read of other users' tickets. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege osTicket account, opens their own ticket, and observes the object identifier used by the AJAX ticket-management calls. By incrementing or substituting that identifier in subsequent requests, they retrieve tickets belonging to other users, potentially harvesting sensitive support conversations, PII, or credentials pasted into tickets. …
Remediation Vendor-released patch: upgrade to osTicket v1.18.4 (for the 1.18.x branch) or v1.17.8 (for the 1.17.x branch), both available as tagged GitHub releases (https://github.com/osTicket/osTicket/releases/tag/v1.18.4 and https://github.com/osTicket/osTicket/releases/tag/v1.17.8); the v1.18.4 notes bundle the June 2026 security patch set. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all osTicket deployments and identify which systems run versions 1.18.3 or 1.17.7, prioritizing instances containing sensitive customer data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-24881 CRITICAL POC
9.8 Nov 02

SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning. Rate

CVE-2017-15580 CRITICAL POC
9.8 Oct 23

osTicket 1.10.1 provides a functionality to upload 'html' files with associated formats. Rated critical severity (CVSS 9

CVE-2026-22200 HIGH POC
8.7 Jan 12

Arbitrary local file read in Enhancesoft osTicket 1.18.x (before 1.18.3) and 1.17.x (before 1.17.7) lets a remote unauth

CVE-2019-14749 HIGH POC
8.8 Aug 07

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Rated high severity (CVSS 8.8), this vulnera

CVE-2017-14396 CRITICAL POC
9.8 Sep 12

In osTicket before 1.10.1, SQL injection is possible by constructing an array via use of square brackets at the end of a

CVE-2019-14750 MEDIUM POC
6.1 Aug 07

An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Rated medium severity (CVSS 6.1), this vulne

CVE-2018-7195 HIGH POC
8.1 Mar 27

Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-mail addre

CVE-2023-30082 HIGH POC
7.5 Jun 14

A denial of service attack might be launched against the server if an unusually lengthy password (more than 10000000 cha

CVE-2021-45811 MEDIUM POC
6.5 Sep 08

A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket 1.15.x allows authenticate

CVE-2019-11537 MEDIUM POC
6.1 Apr 25

In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.ph

CVE-2018-7196 MEDIUM POC
6.1 Mar 27

Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers

CVE-2018-7193 MEDIUM POC
6.1 Mar 27

Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attac

Share

CVE-2026-14871 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy