Description
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
Published: 2026-05-22
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Cross‑Site Request Forgery vulnerability exists in RT versions 6.0.0 through 6.0.2. An attacker that can trick an authenticated user into visiting a malicious site can cause that user’s session to execute unwarranted actions within RT, potentially altering or deleting tickets and other protected data. This weakness is a classic CSRF flaw (CWE‑352) that compromises user confidentiality, integrity and availability of the issue‑tracking system.

Affected Systems

Bestpractical RT 6.0.0 through 6.0.2 are affected. Users deploying these versions are at risk; the update to 6.0.3 addresses the issue.

Risk and Exploitability

The CVSS score of 7.1 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector involves a malicious website that an authenticated user is induced to visit, enabling the attacker to cause the user’s session to execute unintended state‑changing actions in RT. Based on the description, the attack requires only a valid user session and the user’s visit to the compromised site; no additional network or authentication prerequisites are necessary.

Generated by OpenCVE AI on May 22, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RT to version 6.0.3 or later.
  • Implement server‑side CSRF token validation on all state‑changing endpoints.
  • Configure a web‑application firewall or IPS to block anomalous POST or PATCH requests that lack a valid CSRF token.

Generated by OpenCVE AI on May 22, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Bestpractical
Bestpractical rt
Vendors & Products Bestpractical
Bestpractical rt

Fri, 22 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
Title RT has broken CSRF protection for authenticated users
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L'}

Subscriptions

Bestpractical Rt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T21:12:41.473Z

Reserved: 2026-04-16T16:43:03.175Z

Link: CVE-2026-41074

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses