Description
Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.
Published: 2026-02-27
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal allowing arbitrary file read
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Centreon Open Tickets module on the Central Server on Linux permits an attacker to supply a specially crafted file path that contains directory traversal characters. The application fails to properly validate or canonicalize the path, enabling the attacker to read files located outside the intended directory on the underlying Linux file system. Identified as CWE-22, the vulnerability can expose sensitive configuration data, credentials, or other confidential files, thereby creating a serious risk of information leakage and potential use in further attacks if the attacker gains additional foothold.

Affected Systems

Centreon Open Tickets modules installed on a Centreon Central Server running Linux are impacted for all releases older than versions 25.10.3, 24.10.8, or 24.04.7.

Risk and Exploitability

The CVSS base score of 9.9 classifies the flaw as Critical, indicating high potential impact. An EPSS score of less than 1% suggests the current probability of exploitation is very low. The vulnerability is not listed in the CISA KEV catalog, implying no publicly known active exploit. The attack vector is likely remote, via the Centreon web interface, where a malicious user can submit a crafted path to the Open Tickets API to read sensitive files.

Generated by OpenCVE AI on April 17, 2026 at 13:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Centreon Open Tickets to the latest releases – 25.10.3 or newer, 24.10.8 or newer, or 24.04.7 or newer – on all affected Central Server installations.
  • Reduce the file system privileges of the web user account executing Centreon Open Tickets so it cannot access directories outside the application’s designated area.
  • Implement server‑side input validation or a web application firewall rule that detects and blocks directory traversal sequences in requests to the Open Tickets module.

Generated by OpenCVE AI on April 17, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Linux
Linux linux Kernel
Weaknesses CWE-22
CPEs cpe:2.3:a:centreon:open_tickets:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Vendors & Products Linux
Linux linux Kernel

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Centreon
Centreon open Tickets
Vendors & Products Centreon
Centreon open Tickets

Fri, 27 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in Centreon Centreon Open Tickets on Central Server on Linux (Centroen Open Ticket modules).This issue affects Centreon Open Tickets on Central Server: from all before 25.10.3, 24.10.8, 24.04.7.
Title Path traversal in Centreon Open Tickets
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Centreon Open Tickets
Linux Linux Kernel
cve-icon MITRE

Status: PUBLISHED

Assigner: Centreon

Published:

Updated: 2026-03-06T15:31:59.884Z

Reserved: 2026-02-19T14:25:05.119Z

Link: CVE-2026-2749

cve-icon Vulnrichment

Updated: 2026-03-06T15:31:55.394Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T16:16:25.700

Modified: 2026-03-23T17:05:37.740

Link: CVE-2026-2749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses