Description
Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project.
Published: 2026-05-21
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from a hard‑coded Google Maps API key embedded in Open ISES Tickets settings.inc.php. Because the source repository is publicly accessible, any user can read the file and extract the key. This key can then be used to send Google Maps Platform requests, causing charges to accrue on the original project’s Google Cloud account. The weakness is a credential exposure (CWE‑798) and represents an information‑leak and financial risk rather than code execution.

Affected Systems

Open ISES Tickets versions earlier than 3.44.2 are affected. The exposed key resides in settings.inc.php across the source tree for all releases before the 3.44.2 update, removing the hard‑coded key from the repository.

Risk and Exploitability

The CVSS score of 6.9 indicates a high severity flaw. With no EPSS value available and the vulnerability not listed in CISA KEV, the likelihood of broad exploitation is moderate, but the barrier to use is low: anyone with repository read access can obtain the key. The attack vector is primarily through source code availability, and once the key is extracted, an attacker can generate arbitrary Maps requests, leading to unwanted billing.

Generated by OpenCVE AI on May 21, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Open ISES Tickets 3.44.2 or later, which removes the hard‑coded API key
  • If an immediate upgrade is not possible, remove the key from the source repository and replace it with a securely stored credential such as an environment variable or external configuration file
  • Regenerate the lost API key in the Google Cloud console, revoke the compromised key, and monitor billing for unexpected activity

Generated by OpenCVE AI on May 21, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 embeds a hardcoded Google Maps API key in settings.inc.php that is committed to the public source repository. The key can be extracted by anyone with read access to the source and used to make Google Maps Platform requests billed against the original owner's Google Cloud project.
Title Open ISES Tickets < 3.44.2 Hardcoded Google Maps API Key in settings.inc.php
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T18:23:42.944Z

Reserved: 2026-05-21T13:15:18.102Z

Link: CVE-2026-48244

cve-icon Vulnrichment

Updated: 2026-05-21T18:23:16.904Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:21.530

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses