Description
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.



The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
Published: 2026-06-16
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A session fixation flaw is present in osTicket version 1.18.2. The application fails to invalidate the pre‑authentication cookie or create a new session identifier after the user logs in. If an attacker can set a known session ID in the victim’s browser, the victim’s authenticated session will reuse that ID, allowing the attacker to maintain unauthorized access. This flaw permits session hijacking and potential misuse of the victim’s account privileges.

Affected Systems

The vulnerability impacts the legacy Enhancesoft:osTicket platform, specifically the 1.18.2 release. The current code base is in maintenance mode, and Enhancesoft is focusing on a complete rewrite (v2.0). No patch is available for the legacy version and updates are significantly delayed.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, while the EPSS score of less than 1% shows a very low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. The attack requires the attacker to set a known session identifier in the victim’s browser before authentication, implying a web‑based attack vector that may be facilitated by phishing or social engineering. Given that the application does not regenerate session IDs on login, once the victim authenticates the attacker can hijack the session without further privileged actions.

Generated by OpenCVE AI on June 17, 2026 at 21:51 UTC.

Remediation

Vendor Solution

The current (legacy) source code is in maintenance mode, whilst Enhancesoft is focusing on a complete rewrite of the code (v2.0). This means that release cycles and security updates for the legacy code have been significantly delayed.

OpenCVE Recommended Actions

  • Upgrade to osTicket 2.0 when it becomes available, as the rewrite addresses session handling issues.
  • Configure the application or web server to invalidate the pre‑authentication OSTSESSID cookie and generate a fresh session identifier immediately after login, if configuration options allow.
  • Clear or delete the OSTSESSID cookie from the client’s browser before prompting for login to ensure no session fixation can occur.
  • Monitor authentication logs for repeated use of the same session identifier by different users, which may indicate a session hijacking attempt.

Generated by OpenCVE AI on June 17, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Enhancesoft
Enhancesoft osticket
Vendors & Products Enhancesoft
Enhancesoft osticket

Tue, 16 Jun 2026 13:15:00 +0000

Type Values Removed Values Added
Description A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login. The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
Title Session fixation vulnerability in Enhancesoft's osTicket
Weaknesses CWE-38
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Enhancesoft Osticket
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-16T16:18:10.713Z

Reserved: 2026-05-25T13:36:09.788Z

Link: CVE-2026-9507

cve-icon Vulnrichment

Updated: 2026-06-16T16:18:06.428Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T13:16:38.140

Modified: 2026-06-16T15:36:43.610

Link: CVE-2026-9507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:00:04Z

Weaknesses
  • CWE-38

    Path Traversal: '\absolute\pathname\here'