CVE-2026-48245 Open ISES CVE debrief

Who should care

Maintainers and operators of Open ISES Tickets deployments, anyone who cloned or mirrored the affected repository, and Google Cloud administrators responsible for the exposed Maps API key and billing account.

Technical summary

According to the supplied disclosure, versions of Open ISES Tickets before 3.44.2 included a hardcoded Google Maps API key in tables.php and committed it to the public repository. That makes the credential trivially recoverable from source history. The impact is abuse of Google Maps Platform API access under the original project, with likely billing and quota consequences rather than direct system compromise. The issue is classified as CWE-798.

Defensive priority

High

Recommended defensive actions

• Upgrade Open ISES Tickets to v3.44.2 or later.
• Treat the exposed Google Maps API key as compromised and revoke or rotate it in Google Cloud.
• Check the Google Cloud project for unauthorized Maps API usage, quota spikes, or unexpected billing.
• Apply API key restrictions and usage limits so any replacement key is locked to the minimum required services and referrers.
• Review repository history and deployment artifacts for any additional hardcoded secrets.
• Set up billing alerts and API usage monitoring to catch future misuse quickly.

Evidence notes

This debrief is based only on the supplied CVE record and the referenced VulnCheck disclosure materials. The source corpus states that the affected code was committed publicly, that the issue was fixed in release v3.44.2, and that the weakness is CWE-798. The NVD record for this CVE is marked Deferred in the supplied metadata, so the product naming here follows the provided source context rather than an independently validated vendor profile.

Official resources