PatchSiren cyber security CVE debrief

CVE-2026-41076 bestpractical CVE debrief

CVE-2026-41076 is a high-severity authentication bypass vulnerability affecting RT (Request Tracker), an open-source enterprise issue and ticket tracking system. The vulnerability exists in RT versions 5.0.9 and prior, as well as versions 6.0.0 through 6.0.2, specifically in deployments configured to use LDAP or Active Directory for user authentication. Under certain LDAP server configurations, an attacker can authenticate as any LDAP-backed RT user without providing valid credentials, effectively bypassing authentication controls entirely. The CVSS 3.1 score of 8.1 reflects high impact across confidentiality, integrity, and availability dimensions, with network attack vector and low attack complexity once the vulnerable configuration is present. The vulnerability was published on May 22, 2026, with the record last modified on May 26, 2026. Best Practical Solutions has released patched versions 5.0.10 and 6.0.3 to address this issue. The root cause relates to improper handling of unauthenticated LDAP bind attempts (CWE-287), where the application may interpret certain LDAP server responses as successful authentication when credentials are not actually validated. Organizations using RT with LDAP/AD authentication should prioritize upgrading to the fixed versions. For environments where immediate patching is not feasible, a temporary mitigation involves reconfiguring the LDAP server to explicitly reject unauthenticated bind attempts, though this configuration change should be tested to ensure it does not disrupt legitimate authentication flows.

Vendor: bestpractical
Product: rt
CVSS: HIGH 8.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-22
Original CVE updated: 2026-05-26
Advisory published: 2026-05-22
Advisory updated: 2026-05-26

Who should care

Organizations running RT with LDAP or Active Directory authentication, particularly those in enterprise environments using RT for IT service management, security operations, or customer support ticketing. System administrators, security engineers, and identity management teams responsible for RT deployments should prioritize assessment and patching.

Technical summary

CVE-2026-41076 is an authentication bypass vulnerability in RT's LDAP/AD integration. Affected versions (≤5.0.9, 6.0.0-6.0.2) may allow attackers to authenticate without valid credentials when the LDAP server is configured to permit unauthenticated binds. The vulnerability is classified as CWE-287 (Improper Authentication) and carries a CVSS 3.1 score of 8.1 (HIGH). Patches are available in versions 5.0.10 and 6.0.3.

Defensive priority

HIGH

Recommended defensive actions

Upgrade RT to version 5.0.10 (for 5.x deployments) or version 6.0.3 (for 6.x deployments) to eliminate the authentication bypass vulnerability.
If immediate patching is not possible, review and modify LDAP server configuration to reject unauthenticated bind attempts as a temporary risk reduction measure.
Audit authentication logs for suspicious successful authentications from unexpected source addresses or at unusual times that may indicate exploitation attempts.
Verify that LDAP server configurations in staging environments match production to ensure consistent security posture across environments.
Monitor for announcements from Best Practical Solutions regarding additional guidance or related security updates.

Evidence notes

The vulnerability description and affected versions are sourced from the official CVE record and NVD entry. Fix versions 5.0.10 and 6.0.3 are confirmed through GitHub release tags. The CWE-287 classification and CVSS vector are provided in the NVD source data.

Official resources

CVE-2026-41076 was published on May 22, 2026, and last modified on May 26, 2026. The vulnerability was disclosed through GitHub Security Advisories and the National Vulnerability Database.