CVE-2026-48244
Deferred Deferred - Pending Action
Hardcoded Google Maps API Key Exposure in Open ISES Tickets

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: VulnCheck

Description
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-06-11
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-10
NVD
CVE-2026-48244
EUVD
EUVD-2026-31323
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves a hardcoded Google Maps API key exposed in a public source repository, which can be extracted and misused by unauthorized parties. This improper credential management violates CWE-798 (Use of Hard-coded Credentials).

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of credentials and potential unauthorized use could lead to indirect compliance risks, especially if such misuse results in unauthorized access to sensitive data or services.

However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other regulations.

Executive Summary

Open ISES Tickets versions prior to 3.44.2 contain a hardcoded Google Maps API key embedded in the settings.inc.php file. This key is committed to the public source repository, making it accessible to anyone with read access to the source code.

Because the key is exposed publicly, attackers can extract it and use it to make Google Maps Platform requests that are billed to the original owner's Google Cloud project.

This vulnerability is due to improper credential management, specifically the use of hard-coded credentials, which is identified as CWE-798.

Impact Analysis

If you are using a vulnerable version of Open ISES Tickets, an attacker who accesses the source code can extract the hardcoded Google Maps API key and use it to make unauthorized requests.

These unauthorized requests will be billed to your Google Cloud project, potentially leading to unexpected charges.

Additionally, misuse of the API key could lead to service disruptions or abuse of your Google Maps Platform quota.

Detection Guidance

This vulnerability can be detected by inspecting the settings.inc.php file in Open ISES Tickets versions prior to 3.44.2 for the presence of a hardcoded Google Maps API key.

A simple command to check for the hardcoded key in the source code repository or on your system is to search for the Google Maps API key pattern within the settings.inc.php file.

  • grep -i 'google_maps_api_key' settings.inc.php
  • grep -Eo 'AIza[0-9A-Za-z\-_]{35}' settings.inc.php

If you have access to the source repository, you can also search the repository history for commits containing the key.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Open ISES Tickets to version 3.44.2 or later, where the hardcoded Google Maps API key issue has been fixed.

Additionally, you should revoke the exposed Google Maps API key to prevent unauthorized usage and generate a new key with proper credential management.

Review your source code and repository to ensure no other hardcoded credentials are present, following best practices to avoid embedding sensitive keys in code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48244. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart