CVE-2026-22200

osTicket PHP Filter Chain Injection Vulnerability

Horizon3.ai discovered a severe vulnerability affecting Enhancesoft osTicket, a popular open source help desk and ticketing system. This vulnerability allows anonymous attackers to read arbitrary files from the osTicket server, including sensitive configuration. When combined with another vulnerability CVE-2024-2961 affecting Linux hosts, this vulnerability can be exploited to upload webshells and execute arbitrary commands on the osTicket server.

Update Jan. 15: This vulnerability is now patched in version 1.18.3/1.17.7 of osTicket and all clients are recommended to update to the latest version.

Stop Guessing, Start Proving

NodeZero attack analysis showing osTicket PHP filter chain injection enabling file read and potential webshell execution (CVE-2026-22200)
Run a Test Now

What it is and why it matters

osTicket is an open source help desk and ticketing system that converts email, web forms, and API calls into tracked support tickets. It provides core help desk capabilities including ticket queues, SLA rules, assignment and filtering, canned responses, a knowledge base, email piping, and basic reporting. The platform is commonly self-hosted by organizations seeking a lightweight, low-cost support solution.

In its default configuration, osTicket permits anonymous ticket submission, anonymous ticket viewing, and user self-registration, enabling any attacker to exploit this vulnerability to access potentially sensitive files from the osTicket server, including configuration details such as database credentials and secret key material. If the host is also vulnerable to CVE-2024-2961 (CNEXT), an attacker could additionally execute arbitrary code and compromise the system.

There are thousands of Internet-facing instances of osTicket, and Horizon3 has observed that the vast majority of them are running with default settings that render them vulnerable to CVE-2026-22200.

Ticketing systems typically contain sensitive information such as tokens or credentials, and may act as a beachhead to pivot into internal networks, making them an appetizing target for attackers. Examples of recent vulnerabilities affecting ticketing systems that have been exploited in the wild include CVE-2024-28986 and CVE-2024-28987 affecting Solarwinds Web Help Desk, CVE-2021-44077 affecting ManageEngine ServiceDesk Plus, and CVE-2025-2775 and CVE-2025-2776 affecting SysAid.

Technical details

CVE-2026-22200 gives any user who can open and view tickets the ability to read arbitrary files from the osTicket server in the context of the account running the application. The exploit involves creating crafted tickets containing PHP filter expressions in rich text ticket fields, which are incorrectly sanitized by the osTicket application. When an attacker exports the ticket to a PDF, files from the server can also be exfiltrated, embedded as bitmap images within the PDF. 

In its default configuration, osTicket permits anonymous users to submit tickets, view ticket status, and self-register accounts. These settings allow anonymous attackers to gain the minimum level of access required to exploit the vulnerability and read arbitrary files, including sensitive configuration data, directly from the osTicket host.

Against Linux hosts vulnerable to another vulnerability CVE-2024-2961, this arbitrary file read condition can be escalated further. Attackers may be able to upload a web shell and execute arbitrary commands on the osTicket server.

Against Windows-based deployments, exploitation may enable access to files on other Windows hosts over SMB or trigger leakage of the NTLMv2 hash associated with the service account running osTicket.

Conditions for exploitation

Instances are considered highly likely to be exploitable when one or more of the following conditions are present:

  • User self-registration is enabled, allowing access to the account.php endpoint
  • Anonymous users can open tickets and view ticket status through the open.php and view.php endpoints. By default anonymous users do not have knowledge of their ticket id, but this can be trivially brute forced while bypassing rate limiting protection. 

It is also expected that osTicket has been configured with an email server, though this is a basic pre-requisite to effectively use the application in the first place.

Because exploitation can be intrusive, Horizon3.ai does not actively exploit this vulnerability in customer environments. Instead, exposure is assessed by identifying the vulnerability is present along with reachable functionality and configuration states that strongly indicate exploitability by unprivileged attackers.

NodeZero® Offensive Security Platform — Rapid Response

The Enhancesoft osTicket Rapid Response test identifies internet-facing osTicket instances that are highly likely to be exploitable by anonymous attackers. It allows teams to quickly assess exposure, prioritize mitigations, and validate that corrective actions have effectively reduced risk.

Recommended actions:

  • Run the Rapid Response test to identify vulnerable exposed osTicket instances
  • If vulnerable, update to the latest patch version 1.18.3 or 1.17.7 or take other mitigating actions.
  • Re-run the Rapid Response test to confirm that vulnerability is fixed or mitigated.

Affected versions and patch

Affected versions: All versions of osTicket < 1.18.3 or < 1.17.7 should be considered affected.

Mitigations

As of Jan. 15, 2026, a patch has been released and the recommended action is to update to the latest version. If that is not immediately possible, the following mitigations should be considered:

  • Implement network or host-based firewall rules to restrict access to the osTicket server
  • Update the osTicket configuration in the Admin Panel -> Users tab to disable user self-registration.
  • Update the osTicket configuration in the Admin Panel -> Users tab to require registration and login to submit tickets.
  • Update the osTicket configuration in the Admin Panel -> System tab to disable HTML in thread entries and e-mail correspondence.

Timeline

August 26, 2025
Horizon3.ai disclosed this vulnerability to Enhancesoft.

October – January 2025
Publicly exposed osTicket instances that were highly likely to be exploitable were identified, and affected organizations were alerted.

January 12, 2025
Public disclosure of CVE-2026-22200, following 120+ days since original disclosure to the vendor.

January 15, 2025
EnhanceSoft releases osTicket version 1.18.3/1.17.7, which patches this issue

References

🔗 https://www.cve.org/CVERecord?id=CVE-2026-22200
🔗 https://github.com/osTicket/osTicket/releases/tag/v1.18.3

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By