CVE-2026-9507
Received Received - Intake
Session Fixation in osTicket

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-9507
EUVD
EUVD-2026-37079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
enhancesoft osticket 1.18.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-38 The product accepts input in the form of a backslash absolute path ('\absolute\pathname\here') without appropriate validation, which can allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9507 is a session fixation vulnerability found in Enhancesoft's osTicket version 1.18.2. This flaw allows an attacker to hijack a victim's account by keeping the initial session identifier (OSTSESSID) active even after the victim logs in.

The root cause is that the application does not invalidate the pre-authentication session cookie or generate a new session ID after the user authenticates. Therefore, if an attacker manages to set a known session ID in the victim's browser before login, they can maintain unauthorized access to the victim's account after login.

Impact Analysis

This vulnerability can allow an attacker to hijack a user's account by maintaining unauthorized access through a fixed session ID. This means the attacker can impersonate the victim, potentially accessing sensitive information or performing actions on their behalf within the osTicket system.

Mitigation Strategies

The vulnerability arises because osTicket v1.18.2 does not invalidate the pre-authentication session cookie (OSTSESSID) or generate a new session identifier after login, allowing session fixation attacks.

Immediate mitigation steps include ensuring that the application invalidates the old session identifier and issues a new one upon successful authentication to prevent attackers from maintaining unauthorized access.

Since the osTicket codebase is currently in maintenance mode with delayed security updates, consider applying any available patches or workarounds from the vendor or restricting access to the affected system until a fix is available.

Compliance Impact

The session fixation vulnerability in osTicket v1.18.2 allows attackers to hijack user accounts by maintaining the initial session identifier after login, leading to unauthorized access.

Such unauthorized access to user accounts can result in exposure or misuse of personal or sensitive data, which may violate data protection requirements under regulations like GDPR and HIPAA.

Failure to properly invalidate session identifiers and protect user sessions can be seen as inadequate security controls, potentially impacting compliance with these standards that mandate safeguarding user data and ensuring confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9507. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart