CVE-2026-9507
Deferred Deferred - Pending Action

Session Fixation in osTicket

Vulnerability report for CVE-2026-9507, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
enhancesoft osticket 1.18.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-38 The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9507 is a session fixation vulnerability found in Enhancesoft's osTicket version 1.18.2. This flaw allows an attacker to hijack a victim's account by keeping the initial session identifier (OSTSESSID) active even after the victim logs in.

The root cause is that the application does not invalidate the pre-authentication session cookie or generate a new session ID after the user authenticates. Therefore, if an attacker manages to set a known session ID in the victim's browser before login, they can maintain unauthorized access to the victim's account after login.

Impact Analysis

This vulnerability can allow an attacker to hijack a user's account by maintaining unauthorized access through a fixed session ID. This means the attacker can impersonate the victim, potentially accessing sensitive information or performing actions on their behalf within the osTicket system.

Mitigation Strategies

The vulnerability arises because osTicket v1.18.2 does not invalidate the pre-authentication session cookie (OSTSESSID) or generate a new session identifier after login, allowing session fixation attacks.

Immediate mitigation steps include ensuring that the application invalidates the old session identifier and issues a new one upon successful authentication to prevent attackers from maintaining unauthorized access.

Since the osTicket codebase is currently in maintenance mode with delayed security updates, consider applying any available patches or workarounds from the vendor or restricting access to the affected system until a fix is available.

Compliance Impact

The session fixation vulnerability in osTicket v1.18.2 allows attackers to hijack user accounts by maintaining the initial session identifier after login, leading to unauthorized access.

Such unauthorized access to user accounts can result in exposure or misuse of personal or sensitive data, which may violate data protection requirements under regulations like GDPR and HIPAA.

Failure to properly invalidate session identifiers and protect user sessions can be seen as inadequate security controls, potentially impacting compliance with these standards that mandate safeguarding user data and ensuring confidentiality and integrity.

Detection Guidance

This vulnerability involves session fixation by maintaining the initial session identifier (OSTSESSID) after login. To detect it on your system or network, you can monitor HTTP traffic for session cookies that do not change after authentication.

Specifically, you can capture and analyze HTTP requests and responses to check if the OSTSESSID cookie remains the same before and after login, which indicates the session is not being invalidated or regenerated.

Commands to help detect this behavior include using tools like curl or browser developer tools to inspect cookies, or network traffic analyzers like Wireshark or tcpdump to capture HTTP headers.

  • Use curl to perform a login and check the session cookie before and after authentication: curl -c cookies.txt -d 'username=USER&password=PASS' https://your-osticket-instance/login.php
  • Use curl to access a protected page with the saved cookie and observe if the OSTSESSID remains unchanged: curl -b cookies.txt https://your-osticket-instance/dashboard.php -v
  • Use browser developer tools (Network tab) to observe the Set-Cookie headers during login and verify if the OSTSESSID changes.
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for Set-Cookie headers related to OSTSESSID to check if the session ID is regenerated after login.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart