Session Fixation Vulnerability in osTicket by EnhanceSoft
CVE-2026-9507

5.1MEDIUM

Key Information:

Vendor: Enhancesoft
Status: Osticket
Vendor: CVE Published:; 16 June 2026

🔔 Create Enhancesoft Vulnerability Alert

What is CVE-2026-9507?

A session fixation vulnerability has been discovered in osTicket v1.18.2, allowing attackers to hijack user accounts. This flaw occurs due to the application's failure to invalidate the pre-authentication cookie and generate a new session identifier upon successful user login. Consequently, if an attacker is able to set a known session identifier in the victim’s browser, they can maintain unauthorized access to the victim's account after authentication. Immediate patching and implementation of proper session management practices are recommended to mitigate this risk.

Affected Version(s)

osTicket 1.18.2

References

https://www.incibe.es/en/incibe-cert/notices/aviso/sessio...

patch

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 25, 2026

Credit

Mario Valiente

CVE-2026-9507 Data

JSON