Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Published: 2026-05-21
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the mobile login module of Open ISES Tickets, where outbound HTTPS requests are sent with TLS certificate verification disabled by setting CURLOPT_SSL_VERIFYPEER to false. This allows an attacker to present a forged certificate and intercept or modify requests, potentially exposing API keys, session tokens, or other sensitive data in transit. The vulnerability class corresponds to CWE-295, a denial of proper TLS validation, which can lead to credential compromise and further escalation.

Affected Systems

Vulnerable installations are those running any Open ISES Tickets release prior to version 3.44.2. No specific patch revisions are listed, but the problem exists until the latest release where TLS verification is correctly enabled.

Risk and Exploitability

With a CVSS score of 8.2, the vulnerability is considered high severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, indicating that no publicly known exploitation campaigns have yet been reported. The attack vector is inferred as a network-based MitM: an adversary on the path between the server and the external endpoint can supply a malicious certificate. The absence of certificate verification creates a clear avenue for interception or tampering of login traffic, making the vulnerability exploitable under realistic network conditions.

Generated by OpenCVE AI on May 21, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open ISES Tickets version 3.44.2 or later, which restores proper SSL verification.
  • If an upgrade cannot be applied immediately, disable the mobile (RouteMate) login flow or block outbound requests from it until the patch is applied.
  • Patch the code by setting CURLOPT_SSL_VERIFYPEER to true and CURLOPT_SSL_VERIFYHOST to 2 for all outbound HTTPS calls in rm/incs/mobile_login.inc.php.

Generated by OpenCVE AI on May 21, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
Title Open ISES Tickets < 3.44.2 Disabled TLS Certificate Verification in rm/incs/mobile_login.inc.php
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T18:15:21.131Z

Reserved: 2026-05-21T13:15:18.102Z

Link: CVE-2026-48249

cve-icon Vulnrichment

Updated: 2026-05-21T18:15:16.923Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T18:16:22.167

Modified: 2026-05-21T19:10:12.323

Link: CVE-2026-48249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T19:15:20Z

Weaknesses