PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48249 Open ISES CVE debrief

CVE-2026-48249 affects Open ISES Tickets before 3.44.2. In the mobile (RouteMate) login flow, the application disables TLS certificate verification for outbound HTTPS requests, which can allow a network-positioned attacker to intercept or alter traffic in transit.

Vendor
Open ISES
Product
Tickets
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Administrators and operators of Open ISES Tickets, especially environments that use the mobile (RouteMate) login flow or make outbound HTTPS calls from rm/incs/mobile_login.inc.php. Security teams should also pay attention if those requests carry API keys, session-bearing data, or other sensitive tokens.

Technical summary

The vulnerable code path in rm/incs/mobile_login.inc.php sets CURLOPT_SSL_VERIFYPEER to false and does not set CURLOPT_SSL_VERIFYHOST when making outbound HTTPS requests during the mobile login flow. That removes normal TLS certificate validation and host verification, creating a CWE-295 condition where an attacker on the network path can present a forged certificate and potentially observe or modify request and response data.

Defensive priority

High. The issue is remotely reachable over the network path and can expose or tamper with sensitive authentication-related traffic even without user interaction. Priority is highest for deployments that route secrets, API keys, or session material through the affected login flow.

Recommended defensive actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later.
  • Verify that outbound HTTPS requests in the mobile login flow use full TLS certificate and host-name validation.
  • Audit rm/incs/mobile_login.inc.php and related request code for any additional disabled TLS checks or custom trust handling.
  • Assume credentials or tokens may be exposed if the affected path was reachable on an untrusted network path, and rotate secrets if exposure is suspected.
  • Review logs and upstream endpoints for signs of interception, unexpected certificate behavior, or altered responses around the affected period.

Evidence notes

The vulnerability description states that versions before 3.44.2 disable TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false and omitting CURLOPT_SSL_VERIFYHOST during outbound HTTPS requests in the mobile (RouteMate) login flow. The supplied advisory references a fixing commit and the v3.44.2 release tag, supporting that 3.44.2 is the remediation version. NVD lists the item as Deferred at the time of the supplied record.

Official resources

Publicly disclosed in the supplied source record on 2026-05-21; the source item and CVE record share the same publication timestamp. Use the CVE publication time as the primary date reference.