CVE-2026-9507
MediumCVSS 5.1Summary
A session fixation vulnerability has been identified in osTicket v1.18.2, allowing an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.
Risk Assessment
This vulnerability poses a risk of unauthorized access to user accounts, potentially leading to data theft or other malicious activities.
Recommendation
It is recommended to update to the latest version of osTicket that addresses this vulnerability and to implement mechanisms to invalidate cookies prior to authentication.
Original NVD description (English source)
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.

