CVE Catalog

CVE-2026-9507

MediumCVSS 5.1
Published: Updated: Translated: NVD NIST

Summary

A session fixation vulnerability has been identified in osTicket v1.18.2, allowing an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.

Risk Assessment

This vulnerability poses a risk of unauthorized access to user accounts, potentially leading to data theft or other malicious activities.

Recommendation

It is recommended to update to the latest version of osTicket that addresses this vulnerability and to implement mechanisms to invalidate cookies prior to authentication.

Original NVD description (English source)

A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS