Authentication Bypass in RT Ticket Tracking System by Best Practical
CVE-2026-41076

8.1HIGH

Key Information:

Vendor

Bestpractical

Status
Rt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41076?

RT, an open source enterprise-grade ticket tracking system, has an authentication bypass vulnerability affecting versions 5.0.9 and 6.0.0 through 6.0.2 when LDAP/AD is used for user authentication. Under specific server configurations, attackers can potentially authenticate as any user without providing valid credentials. The recommended resolution is to upgrade to versions 5.0.10 or 6.0.3. If an immediate upgrade is not feasible, reviewing the LDAP server's authentication policy to disallow unauthenticated bind attempts can serve as a temporary workaround.

Affected Version(s)

rt < 5.0.10 < 5.0.10

rt >= 6.0.0, < 6.0.3 < 6.0.0, 6.0.3

References

https://github.com/bestpractical/rt/security/advisories/G...
x_refsource_CONFIRM
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
x_refsource_MISC
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.