CVE-2026-22200
osTicket PHP Filter Chain Injection Vulnerability
Horizon3.ai discovered a severe vulnerability affecting Enhancesoft osTicket, a popular open source help desk and ticketing system. This vulnerability allows anonymous attackers to read arbitrary files from the osTicket server, including sensitive configuration. When combined with another vulnerability CVE-2024-2961 affecting Linux hosts, this vulnerability can be exploited to upload webshells and execute arbitrary commands on the osTicket server.
At the time of publication, 120+ days has passed since original disclosure to the vendor, and this vulnerability remains unpatched. As a result, every deployment is vulnerable, but depending on the configuration, Internet-facing instances may or may not be at risk of exploitation by an anonymous attacker. NodeZero has observed many instances running with exploitable configurations. Detailed mitigation guidance is provided below.
Stop Guessing, Start Proving
What it is and why it matters
osTicket is an open source help desk and ticketing system that converts email, web forms, and API calls into tracked support tickets. It provides core help desk capabilities including ticket queues, SLA rules, assignment and filtering, canned responses, a knowledge base, email piping, and basic reporting. The platform is commonly self-hosted by organizations seeking a lightweight, low-cost support solution. There are thousands of Internet-facing installations of osTicket.
In its default configuration, osTicket permits anonymous ticket submission, anonymous ticket viewing, and user self-registration, enabling any attacker to exploit this vulnerability to access potentially sensitive files from the osTicket server, including configuration details such as database credentials and secret key material. If the host is also vulnerable to CVE-2024-2961 (CNEXT), an attacker could additionally execute arbitrary code and compromise the system.
Ticketing systems typically contain sensitive information such as tokens or credentials, and may act as a beachhead to pivot into internal networks, making them an appetizing target for attackers. Examples of recent vulnerabilities affecting ticketing systems that have been exploited in the wild include CVE-2024-28986 and CVE-2024-28987 affecting Solarwinds Web Help Desk, CVE-2021-44077 affecting ManageEngine ServiceDesk Plus, and CVE-2025-2775 and CVE-2025-2776 affecting SysAid.
Technical details
CVE-2026-22200 gives any user who can open and view tickets the ability to read arbitrary files from the osTicket server in the context of the account running the application. The exploit involves creating crafted tickets containing PHP filter expressions in rich text ticket fields, which are incorrectly sanitized by the osTicket application. When an attacker exports the ticket to a PDF, files from the server can also be exfiltrated, embedded as bitmap images within the PDF.
In its default configuration, osTicket permits anonymous users to submit tickets, view ticket status, and self-register accounts. These settings allow anonymous attackers to gain the minimum level of access required to exploit the vulnerability and read arbitrary files, including sensitive configuration data, directly from the osTicket host.
Against Linux hosts vulnerable to another vulnerability CVE-2024-2961, this arbitrary file read condition can be escalated further. Attackers may be able to upload a web shell and execute arbitrary commands on the osTicket server.
Against Windows-based deployments, exploitation may enable access to files on other Windows hosts over SMB or trigger leakage of the NTLMv2 hash associated with the service account running osTicket.
Conditions for exploitation
Instances are considered highly likely to be exploitable when one or more of the following conditions are present:
- User self-registration is enabled, allowing access to the account.php endpoint
- Anonymous users can open tickets and view ticket status through the open.php and view.php endpoints. By default anonymous users do not have knowledge of their ticket id, but this can be trivially brute forced while bypassing rate limiting protection.
It is also expected that osTicket has been configured with an email server, though this is a basic pre-requisite to effectively use the application in the first place.
Because exploitation can be intrusive, Horizon3.ai does not actively exploit this vulnerability in customer environments. Instead, exposure is assessed by identifying reachable functionality and configuration states that strongly indicate exploitability by unprivileged attackers.
NodeZero® Offensive Security Platform — Rapid Response
The Enhancesoft osTicket Rapid Response test identifies internet-facing osTicket instances that are highly likely to be exploitable based on configuration and reachable workflows. It allows teams to quickly assess exposure, prioritize mitigations, and validate that corrective actions have effectively reduced risk.
Recommended actions:
- Run the Rapid Response test to identify exposed osTicket instances with exploitable configurations
- Apply mitigations immediately, as no vendor patch is currently available
- Re-run the Rapid Response test to confirm that mitigations have removed exploitability conditions. Note: even with the exploitable conditions mitigated, it may still be possible for authenticated users to exploit this vulnerability.
Affected versions and patch
Affected versions: All versions of osTicket should be considered affected. The current latest version of osTicket is 1.18.2.
Patch status: No vendor patch is currently available. Exploitability depends on configuration, particularly whether self-registration and anonymous ticket workflows are enabled. This is the default configuration of osTicket.
Mitigations
Until a patch is released, organizations should reduce exposure by limiting access and disabling high-risk functionality:
- Implement network or host-based firewall rules to restrict access to the osTicket server
- Update the osTicket configuration in the Admin Panel -> Users tab to disable user self-registration.
- Update the osTicket configuration in the Admin Panel -> Users tab to require registration and login to submit tickets.
- Update the osTicket configuration in the Admin Panel -> System tab to disable HTML in thread entries and e-mail correspondence.
Timeline
Late August 2025
Horizon3.ai discovered and disclosed this vulnerability among a few others to Enhancesoft.
October – January 2025
Publicly exposed osTicket instances that were highly likely to be exploitable were identified, and affected organizations were alerted.
January 2025
Public disclosure of CVE-2026-22200, following 120+ days since original disclosure to the vendor.
