CVE-2026-9507

Vulnerability

A session fixation vulnerability exists in osTicket v1.18.2 [1]. The application fails to invalidate the pre-authentication cookie (OSTSESSID) or generate a new session identifier after a successful login. This allows an attacker to set a known session identifier in the victim's browser and later reuse it to gain unauthorized access once the victim authenticates.

Exploitation

An attacker must be able to set a known session identifier in the victim's browser, for example by sending a crafted link or using a cross-site scripting vector. No prior authentication is required. The attacker sets the OSTSESSID cookie to a value they control, then the victim logs in. Since the session ID is not regenerated, the attacker can use the same identifier to access the victim's authenticated session.

Impact

Successful exploitation allows the attacker to hijack the victim's account, gaining the same privileges as the victim. This can lead to unauthorized viewing and modification of support tickets, disclosure of sensitive information, and potential integrity violations. The CVSS v4.0 base score is 5.1 (Medium) with low confidentiality and low integrity impact [1].

Mitigation

As of the publication date, no patch is available for osTicket v1.18.2. The legacy codebase is in maintenance mode, and Enhancesoft is focusing on a complete rewrite (v2.0) [1]. Users are advised to monitor for updates and consider upgrading to v2.0 when released. No official workaround has been provided.