Description
User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

A user enumeration flaw exists in the password reset page of osTicket 1.18.2 that allows a remote attacker to determine whether a specific username is registered on the system. The flaw arises because the application provides different responses for valid versus invalid usernames, enabling an attacker to infer account existence. This type of weakness falls under the Common Weakness Enumeration category CWE‑203, which covers insufficient output information leading to information disclosure.

Affected Systems

The vulnerability affects installations of osTicket running version 1.18.2. The affected product is osTicket, published by Enhancesoft, as indicated by the CPE string for enhancesoft:osticket. Any deployment that has not applied subsequent fixes in later releases is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1 %, suggesting a low probability of exploitation at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker can exploit the vulnerability remotely by sending crafted HTTP requests to the /pwreset.php endpoint; no authentication is required, and the attack can be performed from any network that can reach the web server.

Generated by OpenCVE AI on April 7, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade osTicket to the latest available version that has removed the enumeration flaw (e.g., 1.18.3 or newer).
  • If an upgrade is not immediately possible, limit access to the /pwreset.php page using firewall rules, reverse‑proxy restrictions, or IP whitelisting to reduce the attack surface.
  • Ensure that error messages or response times from the password reset functionality do not differ between valid and invalid usernames, so that the application no longer leaks account existence information.

Generated by OpenCVE AI on April 7, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Title User Enumeration via Password Reset in osTicket 1.18.2

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Enhancesoft
Enhancesoft osticket
CPEs cpe:2.3:a:enhancesoft:osticket:*:*:*:*:*:*:*:*
Vendors & Products Enhancesoft
Enhancesoft osticket

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title User Enumeration via Password Reset in osTicket 1.18.2
First Time appeared Osticket
Osticket osticket
Vendors & Products Osticket
Osticket osticket

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description User enumeration vulnerability in /pwreset.php in osTicket v1.18.2 allows remote attackers to enumerate valid usernames registered in the platform.
Weaknesses CWE-203
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Enhancesoft Osticket
Osticket Osticket
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T18:05:15.423Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26895

cve-icon Vulnrichment

Updated: 2026-04-02T18:03:30.376Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:21.833

Modified: 2026-04-07T16:01:01.163

Link: CVE-2026-26895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:37Z

Weaknesses