Skip to main content

Request Tracker CVE-2026-41074

HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-22 GitHub_M
7.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 21:45 vuln.today
Analysis Generated
May 22, 2026 - 21:45 vuln.today

DescriptionGitHub Advisory

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.

AnalysisAI

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.

Technical ContextAI

Request Tracker is a widely deployed Perl-based, enterprise-grade issue and ticket tracking system maintained by Best Practical Solutions. The vulnerability is classified as CWE-352 (Cross-Site Request Forgery), meaning RT's state-changing HTTP endpoints in the 6.0.x branch do not adequately verify that authenticated requests originated from RT's own UI - typically a missing, predictable, or improperly validated anti-CSRF token. Because RT relies on browser session cookies for authorization, any cross-origin form submission or image/script request that hits a state-changing handler is honored by the server as if the logged-in user initiated it. The affected CPE is cpe:2.3:a:bestpractical:rt covering the 6.0.x line prior to 6.0.3.

RemediationAI

Vendor-released patch: upgrade to RT 6.0.3, available from https://download.bestpractical.com/pub/rt/release/rt-6.0.3.tar.gz with the GHSA advisory at https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j; operators should also apply the follow-up patch at https://github.com/bestpractical/rt/commit/525547751b76cc422015960bae3056f4e8d4351f.patch that closes a separately tracked TSV-export issue inadvertently regressed in 6.0.3 (to be folded into 6.0.4). Where immediate upgrade is not feasible, restrict the RT web UI to a dedicated browser profile or network segment, enforce a strict same-site session-cookie posture (SameSite=Lax or Strict) at the reverse proxy, and instruct privileged RT users to fully log out before browsing untrusted sites - these measures reduce but do not eliminate exposure, and SameSite=Strict can break legitimate inbound deep-links from email notifications. Web application firewall rules that require an Origin/Referer header matching the RT host on state-changing requests provide additional defense but may break custom integrations that POST cross-origin.

More in Rt

View all
CVE-2026-41075 HIGH
8.8 May 22

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6

CVE-2026-41076 HIGH
8.1 May 22

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows

CVE-2013-3370 MEDIUM
6.8 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c

CVE-2012-4732 MEDIUM
6.8 Nov 11

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0

CVE-2013-3369 MEDIUM
6.0 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions

CVE-2012-4733 MEDIUM
6.0 Aug 23

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm

CVE-2014-1474 MEDIUM
5.0 Jul 15

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo

CVE-2013-3373 MEDIUM
5.0 Aug 23

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers

CVE-2012-4884 MEDIUM
5.0 Nov 11

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack

CVE-2012-4734 MEDIUM
5.0 Nov 11

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a

CVE-2026-41073 MEDIUM
4.6 May 22

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to e

CVE-2013-3374 MEDIUM
4.3 Aug 23

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Se

Share

CVE-2026-41074 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy