osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
History

Fri, 17 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 17 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem.
Title osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure
First Time appeared Osticket
Osticket osticket
Weaknesses CWE-863
CPEs cpe:2.3:a:osticket:osticket:v1.17.7:*:linux:*:*:*:*:*
cpe:2.3:a:osticket:osticket:v1.17.7:*:macos:*:*:*:*:*
cpe:2.3:a:osticket:osticket:v1.17.7:*:windows:*:*:*:*:*
cpe:2.3:a:osticket:osticket:v1.18.3:*:linux:*:*:*:*:*
cpe:2.3:a:osticket:osticket:v1.18.3:*:macos:*:*:*:*:*
cpe:2.3:a:osticket:osticket:v1.18.3:*:windows:*:*:*:*:*
Vendors & Products Osticket
Osticket osticket
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-07-17T15:28:21.159Z

Reserved: 2026-07-06T14:11:41.135Z

Link: CVE-2026-14871

cve-icon Vulnrichment

Updated: 2026-07-17T15:28:15.628Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-17T17:30:05Z