PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-14871 osTicket CVE debrief

osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) vulnerability leading to Insecure Direct Object Reference (IDOR) in the AJAX ticket-management subsystem. This issue allows attackers to access sensitive information or perform unauthorized actions on tickets. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Organizations using these versions should prioritize patching to prevent potential exploitation.

Vendor
osTicket
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Organizations using osTicket versions v1.18.3 and v1.17.7 should prioritize patching this vulnerability to prevent potential exploitation. This includes operators, platform administrators, vulnerability management teams, and security teams who need to ensure the security of their systems.

Technical summary

The CVE-2026-14871 vulnerability is caused by a Broken Object Level Authorization (BOLA) issue in the AJAX ticket-management subsystem of osTicket versions v1.18.3 and v1.17.7. This allows an attacker to access or manipulate ticket information without proper authorization. The vulnerability has a CVSS score of 7.1, indicating a high severity level. The issue can be mitigated by applying patches or updates provided by the vendor.

Defensive priority

High

Recommended defensive actions

  • Apply patches or updates provided by the vendor to address the BOLA vulnerability
  • Implement additional access controls and monitoring to detect potential exploitation attempts
  • Conduct thorough inventory checks to identify affected systems
  • Consider compensating controls such as Web Application Firewalls (WAFs) to help mitigate the vulnerability
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-17T16:17:13.580Z and was last modified on 2026-07-17T18:10:00.977Z. The NVD entry is currently Awaiting Analysis. This information is based on the NVD entry and the CVE record. The affected product, osTicket, has versions v1.18.3 and v1.17.7 that are vulnerable to this issue. The CVE record and NVD entry provide further details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T16:17:13.580Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.