What is the CVSS score of CVE-2026-41076?

CVE-2026-41076 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Request Tracker are affected by CVE-2026-41076?

Request Tracker (RT) versions 5.0.9 and earlier, and 6.0.0 through 6.0.2 contain an authentication bypass vulnerability that allows unauthorized login as any LDAP-backed user without valid…

How to fix or mitigate CVE-2026-41076?

24 hours: Conduct inventory of all RT deployments and identify which instances have LDAP or Active Directory authentication enabled. 7 days: Deploy patches immediately-upgrade to RT 5.0.10 (legacy versions) or RT 6.0.3 (current versions), both released 2026-05-20. 30 days: Verify patch deployment across all systems, audit LDAP server configurations to reject unauthenticated bind requests, and review authentication logs for signs of unauthorized access exploitation.

Request Tracker CVE-2026-41076

HIGH

Improper Authentication (CWE-287)

2026-05-22 GitHub_M

Authentication Bypass

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Source Code Evidence Fetched

May 22, 2026 - 22:15 vuln.today

Analysis Generated

May 22, 2026 - 22:15 vuln.today

DescriptionNVD

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.

AnalysisAI

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

RemediationAI

24 hours: Conduct inventory of all RT deployments and identify which instances have LDAP or Active Directory authentication enabled. 7 days: Deploy patches immediately-upgrade to RT 5.0.10 (legacy versions) or RT 6.0.3 (current versions), both released 2026-05-20. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-41076 vulnerability details – vuln.today

Back

Request Tracker CVE-2026-41076

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code