User Enumeration Vulnerability in osTicket by osTicket Team
CVE-2026-26895

5.3MEDIUM

Key Information:

Vendor: osTicket Team
Status: osTicket
Vendor: CVE Published:; 2 April 2026

🔔 Create osTicket Team Vulnerability Alert

What is CVE-2026-26895?

A user enumeration vulnerability exists in osTicket v1.18.2 within the /pwreset.php script. This flaw permits remote attackers to identify valid usernames registered on the platform, potentially facilitating further unauthorized access attempts. Organizations using this version should prioritize applying security updates to mitigate the risk of exposure to automated attacks targeting user accounts.

References

http://osticket.com

https://csacyber.com/blog/osticket-timing-vulnerability-u...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 2, 2026
Vulnerability Reserved
Feb 16, 2026

CVE-2026-26895 Data

JSON