Skip to main content

Request Tracker CVE-2026-41075

HIGH
SQL Injection (CWE-89)
2026-05-22 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 21:45 vuln.today
Analysis Generated
May 22, 2026 - 21:45 vuln.today

DescriptionGitHub Advisory

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.

AnalysisAI

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Request Tracker is a widely deployed Perl-based enterprise ticketing platform from Best Practical (CPE cpe:2.3:a:bestpractical:rt). The defect is a classic CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) where the entry_aggregator query parameter - used by RT's JSON-based ticket search to control how multiple search clauses are AND/OR-joined - is concatenated into a dynamically constructed SQL statement without sufficient validation or parameterization. Because RT stores tickets, user records, transactions, and ACL data in the same RDBMS (MySQL/PostgreSQL/Oracle/MariaDB are all supported), a successful injection reaches the entire RT data model.

RemediationAI

Vendor-released patch: upgrade to RT 5.0.10 (for the 5.0.x branch) or RT 6.0.3 (for the 6.0.x branch), both published 2026-05-20 and available from https://download.bestpractical.com/pub/rt/release/ and the GitHub release pages. If immediate upgrade is not possible, the vendor's documented workaround is to restrict RT account access to trusted users only - practically meaning disabling self-registration, auditing the existing user table, and tightening group memberships - which preserves functionality for internal staff but breaks customer-facing or anonymous-submission workflows. Additional defense-in-depth options include placing RT behind a reverse-proxy WAF rule that rejects unexpected entry_aggregator values on the JSON search endpoint and enabling database query logging to detect anomalous statements, accepting the trade-off of additional log volume and potential false-positive blocks on legitimate complex searches.

More in Rt

View all
CVE-2026-41076 HIGH
8.1 May 22

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows

CVE-2026-41074 HIGH
7.1 May 22

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers t

CVE-2013-3370 MEDIUM
6.8 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c

CVE-2012-4732 MEDIUM
6.8 Nov 11

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0

CVE-2013-3369 MEDIUM
6.0 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions

CVE-2012-4733 MEDIUM
6.0 Aug 23

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm

CVE-2014-1474 MEDIUM
5.0 Jul 15

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo

CVE-2013-3373 MEDIUM
5.0 Aug 23

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers

CVE-2012-4884 MEDIUM
5.0 Nov 11

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack

CVE-2012-4734 MEDIUM
5.0 Nov 11

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a

CVE-2026-41073 MEDIUM
4.6 May 22

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to e

CVE-2013-3374 MEDIUM
4.3 Aug 23

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Se

Share

CVE-2026-41075 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy