Broken Object Level Authorization in osTicket by osTicket
CVE-2026-14871
7.1HIGH
What is CVE-2026-14871?
osTicket versions v1.18.3 and v1.17.7 exhibit a critical flaw in the AJAX ticket-management subsystem, where Broken Object Level Authorization allows unauthorized access to user data through Insecure Direct Object Reference (IDOR) techniques. This can lead to severe implications, as unauthorized users may gain access to sensitive ticket information, jeopardizing user confidentiality and data integrity.
Affected Version(s)
osTicket Windows v1.18.3
osTicket Windows v1.17.7
