PatchSiren cyber security CVE debrief
CVE-2026-41074 bestpractical CVE debrief
CVE-2026-41074 is a Cross-Site Request Forgery (CSRF) vulnerability in RT (Request Tracker), an open-source enterprise-grade issue and ticket tracking system. The vulnerability affects versions 6.0.0 through 6.0.2 and was assigned a CVSS 3.1 score of 7.1 (HIGH severity). The issue was published on 2026-05-22 and last modified on 2026-05-26. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. The vulnerability has been remediated in version 6.0.3.
- Vendor
- bestpractical
- Product
- rt
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-26
Who should care
Organizations running RT (Request Tracker) versions 6.0.0-6.0.2 for IT service management, help desk operations, or issue tracking. System administrators responsible for RT deployments, security teams monitoring web application vulnerabilities, and developers maintaining RT integrations or customizations.
Technical summary
RT (Request Tracker) versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CWE-352) vulnerability. The application fails to properly validate or require anti-CSRF tokens for state-changing requests, allowing an attacker to construct a malicious web page that submits forged requests to the RT instance. When a victim with an active RT session visits the attacker's page, the browser automatically includes session cookies, causing RT to execute the forged action with the victim's privileges. This can lead to unauthorized ticket modifications, configuration changes, or other administrative actions depending on the victim's permissions. The vulnerability requires user interaction (victim must visit malicious page) but no authentication bypass or privilege escalation on the attacker's part.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade RT to version 6.0.3 or later to remediate this vulnerability.
- Review and audit recent state-changing actions in RT for unauthorized changes if running affected versions.
- Implement additional CSRF protections at the web application firewall (WAF) or reverse proxy layer as a defense-in-depth measure.
- Educate users about the risks of clicking untrusted links while authenticated to sensitive applications.
- Monitor for suspicious cross-origin requests to RT endpoints that may indicate CSRF exploitation attempts.
Evidence notes
The vulnerability description and affected versions are sourced from the official CVE record and NVD entry. The fix version (6.0.3) is confirmed by the GitHub release tag. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L) indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and low availability impact.
Official resources
The vulnerability was disclosed via GitHub Security Advisories and the National Vulnerability Database (NVD). The CVE record was published on 2026-05-22 and modified on 2026-05-26. No known exploitation in the wild has been reported, and it