Open ISES Tickets before version 3.44.2 contains a hardcoded Google Maps API key within the tables.php file. The key is stored directly in the source code and committed to the public repository, meaning that anyone who can read the source can extract the key. If used, the key authorizes requests to Google Maps Platform under the project owner’s billing account, potentially leading to unexpected charges or denial of service when limits are exceeded. This is an example of a credential or secret leakage vulnerability, identified as CWE‑798.

The vulnerability affects installations of Open ISES:Tickets older than version 3.44.2. No specific minor releases are listed, so all releases preceding the 3.44.2 stable milestone are considered at risk.

The CVSS score of 6.9 indicates a moderate to high risk profile. Because the API key is embedded in code rather than delivered over the network, the attack vector is rebased on code review or source download, which is usually considered a local or developer‑level exposure. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no known widespread exploitation. Nonetheless, any actor who obtains the repository can freely use the key to make Google Maps requests billed to the owner's account, which has a predictable financial impact and could be technically trivial to perform. Consequently, the vulnerability is likely to be abused in a targeted scenario or by automated scripts that scan the repository for hardcoded credentials.