Executive Summary

CVE-2026-26895 is a timing side-channel vulnerability in osTicket version 1.18.2 and earlier, specifically in the /pwreset.php password reset endpoint after SMTP email service configuration.

The vulnerability occurs because the server response time differs significantly when processing password reset requests for valid versus invalid usernames. For valid usernames, the system attempts to send a password reset email via SMTP, causing a longer response time of several seconds. For invalid usernames, it immediately returns an error with a much shorter response time, under one second.

This timing discrepancy allows remote attackers to enumerate valid usernames by measuring response latency, enabling them to compile lists of valid usernames registered on the platform.

Useful 0 Not Useful 0

Compliance Impact

The user enumeration vulnerability in osTicket v1.18.2 allows attackers to identify valid usernames by exploiting timing differences in the password reset process. This can lead to targeted attacks such as credential stuffing, phishing, or brute-force attempts, increasing the risk of unauthorized account access.

Such unauthorized access or exposure of user information can potentially result in data breaches, which may violate compliance requirements under regulations like GDPR and HIPAA that mandate the protection of personal and sensitive data.

Therefore, organizations using vulnerable versions of osTicket may face increased risk of non-compliance with these standards due to the possibility of compromised user data and the associated legal and financial consequences.

Mitigating this vulnerability by upgrading to osTicket version 1.18.3 or later is strongly advised to reduce these compliance risks.

Useful 0 Not Useful 0

Impact Analysis

Attackers can exploit this vulnerability to identify valid usernames on the osTicket platform by measuring the response times of password reset requests.

Once valid usernames are identified, attackers can target these accounts with credential stuffing, phishing, or brute-force attacks, increasing the risk of account compromise.

The consequences of exploitation include potential data breaches, reputational damage, operational disruption, and financial losses.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by measuring the response times of the /pwreset.php password reset endpoint in osTicket version 1.18.2 or earlier. Specifically, sending password reset requests with different usernames and observing the latency differences can reveal valid usernames.

For valid usernames, the server response time is significantly longer (several seconds) because it attempts to send a password reset email via SMTP. For invalid usernames, the response is returned almost immediately (under one second).

To detect this, you can use tools like curl or automated scripts to send requests and measure response times. For example, using curl in a shell script to time requests:

• curl -w "%{time_total}\n" -o /dev/null -s "https://your-osticket-domain/pwreset.php?username=someuser"

By comparing the output times for different usernames, longer times indicate valid usernames.

Alternatively, intercepting and analyzing requests with tools like Burp Suite can help automate and visualize timing differences for user enumeration.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade osTicket to version 1.18.3 or later, where the vulnerability has been fixed.

The fix enforces a minimum response time of 1.4 seconds plus a random jitter on the /pwreset.php endpoint regardless of username validity, eliminating timing differences that allow user enumeration.

Until the upgrade can be applied, consider monitoring and rate-limiting requests to the /pwreset.php endpoint to reduce the risk of automated enumeration attacks.

Useful 0 Not Useful 0