Description
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
Published: 2026-05-22
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an SQL injection in the RT issue tracking system where a crafted entry_aggregator input is directly incorporated into database queries without validation. This allows an authenticated attacker to read or modify the RT database, potentially exposing sensitive information or corrupting ticket data. The problem is categorized as CWE-89, the classic SQL injection weakness.

Affected Systems

bestpractical RT versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 are vulnerable. Those releases are open‑source ticket trackers. Versions 5.0.10 and 6.0.3 contain the fix and are the correct upgrade target.

Risk and Exploitability

The CVSS score of 8.8 signals a high severity issue. No EPSS score is available and the vulnerability is not listed in CISA's KEV catalog. An attacker must first authenticate to a valid RT account or achieve lateral movement within a network. Once authenticated, the entry_aggregator parameter can be abused to inject SQL commands to read or alter any database rows that the user has permission to access.

Generated by OpenCVE AI on May 22, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RT to version 5.0.10 or 6.0.3 to apply the patch that properly sanitizes the entry_aggregator input.
  • If a patch is not immediately possible, restrict RT account access to a minimal set of trusted users to reduce the exploitation surface.
  • For environments that cannot be upgraded promptly, disable or limit the JSON search interface that accepts the entry_aggregator parameter for non‑trusted accounts, ensuring the function is only exposed to privileged users.

Generated by OpenCVE AI on May 22, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Bestpractical
Bestpractical rt
Vendors & Products Bestpractical
Bestpractical rt

Fri, 22 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
Title RT: SQL injection via entry_aggregator parameter in JSON search
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Bestpractical Rt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-22T21:17:36.063Z

Reserved: 2026-04-16T16:43:03.175Z

Link: CVE-2026-41075

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T23:30:03Z

Weaknesses