CVE-2026-48244
Hardcoded Google Maps API Key Exposure in Open ISES Tickets
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Open ISES Tickets versions prior to 3.44.2 contain a hardcoded Google Maps API key embedded in the settings.inc.php file. This key is committed to the public source repository, making it accessible to anyone with read access to the source code.
Because the key is exposed publicly, attackers can extract it and use it to make Google Maps Platform requests that are billed to the original owner's Google Cloud project.
This vulnerability is due to improper credential management, specifically the use of hard-coded credentials, which is identified as CWE-798.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves a hardcoded Google Maps API key exposed in a public source repository, which can be extracted and misused by unauthorized parties. This improper credential management violates CWE-798 (Use of Hard-coded Credentials).
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the exposure of credentials and potential unauthorized use could lead to indirect compliance risks, especially if such misuse results in unauthorized access to sensitive data or services.
However, there is no direct information provided about specific impacts on compliance with GDPR, HIPAA, or other regulations.
How can this vulnerability impact me? :
If you are using a vulnerable version of Open ISES Tickets, an attacker who accesses the source code can extract the hardcoded Google Maps API key and use it to make unauthorized requests.
These unauthorized requests will be billed to your Google Cloud project, potentially leading to unexpected charges.
Additionally, misuse of the API key could lead to service disruptions or abuse of your Google Maps Platform quota.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the settings.inc.php file in Open ISES Tickets versions prior to 3.44.2 for the presence of a hardcoded Google Maps API key.
A simple command to check for the hardcoded key in the source code repository or on your system is to search for the Google Maps API key pattern within the settings.inc.php file.
- grep -i 'google_maps_api_key' settings.inc.php
- grep -Eo 'AIza[0-9A-Za-z\-_]{35}' settings.inc.php
If you have access to the source repository, you can also search the repository history for commits containing the key.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Open ISES Tickets to version 3.44.2 or later, where the hardcoded Google Maps API key issue has been fixed.
Additionally, you should revoke the exposed Google Maps API key to prevent unauthorized usage and generate a new key with proper credential management.
Review your source code and repository to ensure no other hardcoded credentials are present, following best practices to avoid embedding sensitive keys in code.