Open ISES Tickets Vulnerability in Authentication Flow Disables TLS Verification
CVE-2026-48248

8.2HIGH

Key Information:

Vendor

Open Ises

Status
Tickets
Vendor
CVE Published:
21 May 2026

What is CVE-2026-48248?

A vulnerability in Open ISES Tickets before version 3.44.2 disables TLS certificate verification during the login/authentication process. This flaw arises from the setting of CURLOPT_SSL_VERIFYPEER to false in incs/login.inc.php, which can allow an attacker monitoring the network to present a forged certificate. By exploiting this weakness, an attacker can intercept, monitor, or modify sensitive data transmitted over HTTPS, including session identifiers and API keys, posing significant risks to user credentials and data integrity.

Affected Version(s)

Tickets 0 < 3.44.2

References

https://github.com/openises/tickets/releases/tag/v3.44.2
release-notes
https://github.com/openises/tickets/commit/ecfeb406a01676...
patch
https://www.vulncheck.com/advisories/open-ises-tickets-di...
third-party-advisory

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.