Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Published: 2026-05-21
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Open ISES Tickets < 3.44.2 disables TLS certificate verification when the server calls the Google Maps Directions API during incident report generation by setting CURLOPT_SSL_VERIFYPEER to false and leaving CURLOPT_SSL_VERIFYHOST undefined. This allows an attacker positioned on the network path between the ticketing server and the remote endpoint to present a forged certificate, thereby intercepting, monitoring or modifying the request and response, which can expose API keys, session data or other sensitive information in transit.

Affected Systems

The vulnerability affects the Open ISES Tickets application, specifically all versions prior to 3.44.2. Any deployment running those earlier releases is susceptible to the described MITM attack.

Risk and Exploitability

The CVSS score of 8.2 reflects a high‑severity flaw, with the EPSS score not available but by implication the exploitation probability may be non‑negligible; the vulnerability is not listed in the CISA KEV catalog. Attackers would need to be able to intercept traffic on the path between the ticketing server and Google’s servers, which typically means a network‑level attacker or compromised intermediary. Given the potential to tamper with API keys and session data, the impact spans confidentiality and integrity across the application and its communications.

Generated by OpenCVE AI on May 21, 2026 at 18:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open ISES Tickets to version 3.44.2 or later, which restores proper TLS certificate verification.
  • Reconfigure the application to enforce certificate verification and set SSL_VERIFYHOST to 1 for all outbound HTTPS calls, so that future modifications cannot repeat the disabling of peer verification.
  • Restrict outbound HTTPS traffic from the ticket server to only the Google Maps Directions API endpoint using firewall or proxy rules, limiting the attack surface to that specific external resource.

Generated by OpenCVE AI on May 21, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 disables TLS certificate verification in ajax/reports.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for Google Maps Directions API lookups during incident report generation. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Title Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in ajax/reports.php
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T18:05:48.867Z

Reserved: 2026-05-21T13:15:18.102Z

Link: CVE-2026-48246

cve-icon Vulnrichment

Updated: 2026-05-21T18:05:45.554Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:21.780

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48246

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T18:45:17Z

Weaknesses