CVE-2026-26895
User Enumeration Vulnerability in osTicket /pwreset.php
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| enhancesoft | osticket | to 1.18.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The user enumeration vulnerability in osTicket v1.18.2 allows attackers to identify valid usernames by exploiting timing differences in the password reset process. This can lead to targeted attacks such as credential stuffing, phishing, or brute-force attempts, increasing the risk of unauthorized account access.
Such unauthorized access or exposure of user information can potentially result in data breaches, which may violate compliance requirements under regulations like GDPR and HIPAA that mandate the protection of personal and sensitive data.
Therefore, organizations using vulnerable versions of osTicket may face increased risk of non-compliance with these standards due to the possibility of compromised user data and the associated legal and financial consequences.
Mitigating this vulnerability by upgrading to osTicket version 1.18.3 or later is strongly advised to reduce these compliance risks.
Can you explain this vulnerability to me?
CVE-2026-26895 is a timing side-channel vulnerability in osTicket version 1.18.2 and earlier, specifically in the /pwreset.php password reset endpoint after SMTP email service configuration.
The vulnerability occurs because the server response time differs significantly when processing password reset requests for valid versus invalid usernames. For valid usernames, the system attempts to send a password reset email via SMTP, causing a longer response time of several seconds. For invalid usernames, it immediately returns an error with a much shorter response time, under one second.
This timing discrepancy allows remote attackers to enumerate valid usernames by measuring response latency, enabling them to compile lists of valid usernames registered on the platform.
How can this vulnerability impact me? :
Attackers can exploit this vulnerability to identify valid usernames on the osTicket platform by measuring the response times of password reset requests.
Once valid usernames are identified, attackers can target these accounts with credential stuffing, phishing, or brute-force attacks, increasing the risk of account compromise.
The consequences of exploitation include potential data breaches, reputational damage, operational disruption, and financial losses.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of the /pwreset.php password reset endpoint in osTicket version 1.18.2 or earlier. Specifically, sending password reset requests with different usernames and observing the latency differences can reveal valid usernames.
For valid usernames, the server response time is significantly longer (several seconds) because it attempts to send a password reset email via SMTP. For invalid usernames, the response is returned almost immediately (under one second).
To detect this, you can use tools like curl or automated scripts to send requests and measure response times. For example, using curl in a shell script to time requests:
- curl -w "%{time_total}\n" -o /dev/null -s "https://your-osticket-domain/pwreset.php?username=someuser"
By comparing the output times for different usernames, longer times indicate valid usernames.
Alternatively, intercepting and analyzing requests with tools like Burp Suite can help automate and visualize timing differences for user enumeration.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade osTicket to version 1.18.3 or later, where the vulnerability has been fixed.
The fix enforces a minimum response time of 1.4 seconds plus a random jitter on the /pwreset.php endpoint regardless of username validity, eliminating timing differences that allow user enumeration.
Until the upgrade can be applied, consider monitoring and rate-limiting requests to the /pwreset.php endpoint to reduce the risk of automated enumeration attacks.