CVE-2026-14871
Received Received - Intake

Broken Object Level Authorization in osTicket AJAX Ticket-Management

Vulnerability report for CVE-2026-14871, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Fluid Attacks

Description

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
osticket osticket 1.18.3
osticket osticket 1.17.7
osticket osticket 1.18.4
osticket osticket 1.17.8

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in osTicket versions v1.18.3 and v1.17.7. It allows unauthorized access to ticket-management functions due to improper authorization checks.

Detection Guidance

This vulnerability is specific to osTicket versions v1.18.3 and v1.17.7. Check your osTicket version by inspecting the system or running commands like 'grep -r "osticket" /path/to/install' or checking the version in the admin panel. If you find version v1.18.3 or v1.17.7, the system is vulnerable.

Impact Analysis

An attacker could exploit this to access or modify tickets they are not authorized to view or edit. This may lead to data leaks, unauthorized changes, or disruption of ticketing system operations.

Compliance Impact

This vulnerability could violate compliance requirements by exposing sensitive data (e.g., personal or health information) to unauthorized parties. GDPR requires protecting personal data, and HIPAA mandates safeguarding health information. Exploitation may lead to non-compliance penalties.

Mitigation Strategies

Upgrade osTicket to the latest patched version (v1.18.4 or v1.17.8) immediately. Download the update from the official osTicket GitHub repository or release pages. Backup your database and files before upgrading. Follow the official upgrade instructions to avoid data loss.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14871. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart