Broken Object Level Authorization in osTicket by osTicket
CVE-2026-14871

7.1HIGH

Key Information:

Vendor

Osticket

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-14871?

osTicket versions v1.18.3 and v1.17.7 exhibit a critical flaw in the AJAX ticket-management subsystem, where Broken Object Level Authorization allows unauthorized access to user data through Insecure Direct Object Reference (IDOR) techniques. This can lead to severe implications, as unauthorized users may gain access to sensitive ticket information, jeopardizing user confidentiality and data integrity.

Affected Version(s)

osTicket Windows v1.18.3

osTicket Windows v1.17.7

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Juan Felipe Osorio Z
.