Skip to main content

Request Tracker CVE-2026-41076

HIGH
Improper Authentication (CWE-287)
2026-05-22 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 22:15 vuln.today
Analysis Generated
May 22, 2026 - 22:15 vuln.today

DescriptionGitHub Advisory

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.

AnalysisAI

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Technical ContextAI

Request Tracker is a widely deployed Perl-based enterprise ticketing system from Best Practical Solutions, often integrated with corporate directories via its LDAP/Active Directory authentication module. The root cause is classified as CWE-287 (Improper Authentication): RT's LDAP bind logic does not adequately reject credential submissions that the LDAP server may interpret as anonymous or unauthenticated binds. In LDAP, an empty password or certain malformed credentials can result in the directory server returning a success response (anonymous bind) rather than an authentication failure, which RT then misinterprets as proof of identity for the supplied username. The CPE cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:* confirms all RT product variants within the affected ranges are in scope when the LDAP auth backend is in use.

RemediationAI

Vendor-released patch: upgrade to RT 5.0.10 (https://github.com/bestpractical/rt/releases/tag/rt-5.0.10) on the 5.0.x branch or RT 6.0.3 (https://github.com/bestpractical/rt/releases/tag/rt-6.0.3) on the 6.0.x branch, both released 2026-05-20 and signed tarballs available at download.bestpractical.com; the GHSA advisory is at https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx. If upgrade is not immediately possible, the vendor-recommended workaround is to reconfigure the upstream LDAP/AD server to reject unauthenticated bind attempts (e.g., set olcDisallows: bind_anon on OpenLDAP, or ensure Active Directory's LDAPServerIntegrity and 'ldapenforcechannelbinding' policies disallow anonymous binds with a non-empty DN); note that tightening LDAP policy may break legitimate applications that rely on anonymous searches, so test in a staging environment first. As a further compensating control, restrict network access to RT's login endpoint to trusted VPN ranges and monitor authentication logs for successful logins lacking corresponding LDAP bind events. Upgrading RT remains the only complete fix.

More in Rt

View all
CVE-2026-41075 HIGH
8.8 May 22

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6

CVE-2026-41074 HIGH
7.1 May 22

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers t

CVE-2013-3370 MEDIUM
6.8 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c

CVE-2012-4732 MEDIUM
6.8 Nov 11

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0

CVE-2013-3369 MEDIUM
6.0 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions

CVE-2012-4733 MEDIUM
6.0 Aug 23

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm

CVE-2014-1474 MEDIUM
5.0 Jul 15

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo

CVE-2013-3373 MEDIUM
5.0 Aug 23

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers

CVE-2012-4884 MEDIUM
5.0 Nov 11

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack

CVE-2012-4734 MEDIUM
5.0 Nov 11

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a

CVE-2026-41073 MEDIUM
4.6 May 22

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to e

CVE-2013-3374 MEDIUM
4.3 Aug 23

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Se

Share

CVE-2026-41076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy