Request Tracker CVE-2026-41074
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
AnalysisAI
Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.
Technical ContextAI
Request Tracker is a widely deployed Perl-based, enterprise-grade issue and ticket tracking system maintained by Best Practical Solutions. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery), meaning RT's state-changing HTTP endpoints in the 6.0.x branch do not adequately verify that authenticated requests originated from RT's own UI - typically a missing, predictable, or improperly validated anti-CSRF token. Because RT relies on browser session cookies for authorization, any cross-origin form submission or image/script request that hits a state-changing handler is honored by the server as if the logged-in user initiated it. The affected CPE is cpe:2.3:a:bestpractical:rt covering the 6.0.x line prior to 6.0.3.
RemediationAI
Vendor-released patch: upgrade to RT 6.0.3, available from https://download.bestpractical.com/pub/rt/release/rt-6.0.3.tar.gz with the GHSA advisory at https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j; operators should also apply the follow-up patch at https://github.com/bestpractical/rt/commit/525547751b76cc422015960bae3056f4e8d4351f.patch that closes a separately tracked TSV-export issue inadvertently regressed in 6.0.3 (to be folded into 6.0.4). Where immediate upgrade is not feasible, restrict the RT web UI to a dedicated browser profile or network segment, enforce a strict same-site session-cookie posture (SameSite=Lax or Strict) at the reverse proxy, and instruct privileged RT users to fully log out before browsing untrusted sites - these measures reduce but do not eliminate exposure, and SameSite=Strict can break legitimate inbound deep-links from email notifications. Web application firewall rules that require an Origin/Referer header matching the RT host on state-changing requests provide additional defense but may break custom integrations that POST cross-origin.
Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6
Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c
Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions
Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm
Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo
CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers
Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack
Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a
Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to e
Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Se
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today