CVE-2026-41075 bestpractical CVE debrief

Who should care

Organizations operating RT instances for issue and ticket tracking, particularly those with multi-user deployments where account compromise or insider threats are concerns. Security teams responsible for vulnerability management in open-source enterprise applications.

Technical summary

The vulnerability exists in RT's handling of user-supplied input that is incorporated into SQL queries without adequate validation or parameterization. Affected versions include 5.0.0-5.0.9 and 6.0.0-6.0.2. The CVSS 3.1 score of 8.8 reflects network attack vector, low attack complexity, low privileges required, and high impacts to confidentiality, integrity, and availability. Remediation is available through patched releases 5.0.10 and 6.0.3.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade RT installations to version 5.0.10 (for 5.x series) or 6.0.3 (for 6.x series) to remediate the SQL injection vulnerability.
• If immediate patching is not feasible, restrict RT account access to trusted users only as a temporary mitigation measure.
• Review database access logs for anomalous query patterns that may indicate exploitation attempts prior to patching.
• Validate that input sanitization controls are functioning as expected after upgrade completion.

Evidence notes

The CVE description and NVD metadata confirm the vulnerability affects specific RT version ranges and has been assigned CWE-89 (SQL Injection). CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H supports the HIGH severity rating. GitHub Security Advisory GHSA-7vf8-xv7w-97c6 and corresponding release tags provide vendor acknowledgment and fix availability.

Official resources