Description
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability allows attackers to determine which usernames are registered on an osTicket installation by sending web requests to the password‑reset page. This user enumeration can be used to gather contact information that supports social engineering or credential‑based attacks. The weakness is classified as CWE‑203, where information that should remain confidential is inadvertently disclosed.

Affected Systems

vulnerable to this flaw are products running osTicket version 1.18.2. No other vendors or product lineages are listed as affected, so the impact is limited to installations of this specific version.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. While the EPSS score is unavailable and the flaw is not listed in CISA’s KEV catalog, the attack path is inferred to be remote over the network, triggered by HTTP requests to /pwreset.php. Due to the lack of documented exploitation and moderate score, the overall risk is moderate, but addressing it promptly is advisable.

Generated by OpenCVE AI on April 2, 2026 at 22:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osTicket to a version that removes the user‑enumeration flaw (consult the vendor’s release notes).
  • If an immediate upgrade is not possible, restrict access to the /pwreset.php endpoint to trusted IPs or internal networks only.
  • Consider disabling the password‑reset feature when it is not needed, or add an additional verification step such as email confirmation before processing the request.
  • Implement rate limiting or monitoring on web‑server logs to detect repeated enumeration attempts.

Generated by OpenCVE AI on April 2, 2026 at 22:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title User Enumeration via Password Reset in osTicket 1.18.2
First Time appeared Osticket
Osticket osticket
Vendors & Products Osticket
Osticket osticket

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Osticket Osticket
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:05:15.423Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26895

cve-icon Vulnrichment

Updated: 2026-04-02T18:03:30.376Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-02T17:16:21.833

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-26895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:02Z

Weaknesses