
osTicket v1.18.3 - v1,17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure
7,1
High
Discovered by
External researcher
Summary
Full name
osTicket v1.18.3 - v1.17.7 - BOLA/IDOR in ticket field viewing allows cross-department data disclosure
Code name
State
Public
Release date
Affected product
osTicket
Vendor
osTicket
Affected version(s)
v1.18.3 - v.1.17.7
Fixed version(s)
v1.18.4 - v.1.17.8
Vulnerability name
Improper authorization control for web services
Vulnerability type
Remotely exploitable
Yes
CVSS v4.0 vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS v4.0 base score
7.1
Exploit available
Yes
CVE ID(s)
Description
osTicket versions v1.18.3 and v1.17.7 contain a Broken Object Level Authorization (BOLA) in the AJAX ticket-management subsystem. The vulnerable viewField() method in include/ajax.tickets.php retrieves a ticket and checks that the requested field exists, but does not verify that the authenticated agent is authorized to access the parent ticket.
Consequently, a low-privileged agent assigned only to one department can request fields from tickets in another department. The affected endpoint is:
The report identifies the vulnerable code at viewField() lines 805-806. The ticket_id and field_id parameters are user-controlled; sequential values enable practical enumeration when the agent can make authenticated requests.
Vulnerability
Root cause
The authorization boundary is missing from the read path:
viewField()obtains the ticket represented byticket_idand resolves the requestedfield_id.It returns the field data without invoking
$ticket->checkStaffPerm($thisstaff).An authenticated agent can therefore access a ticket field without passing the department-level permission check for that ticket.
The neighboring editField() method implements the expected control:
When the check fails, osTicket returns HTTP 403 Permission denied. The omission from viewField() is what permits an unauthorized request to receive HTTP 200 and the ticket field content.
PoC
Preconditions
A vulnerable osTicket instance.
Two isolated departments, for example
Dept-AandDept-B.A low-privileged agent assigned only to
Dept-A.A ticket in
Dept-Bcontaining a field theDept-Aagent is not allowed to view.
Reproduction
Configure the
exploit.pywith the osTicket base URL, theDept-Aagent credentials, and the target ticket and field IDs.Run the script:
The script authenticates at
/scp/login.php, obtains the CSRF token, and sends:On an affected version, the server responds with HTTP
200and returns the restricted field data. On a patched version, the same cross-department request returns HTTP403.
The PoC can also enumerate a small supplied list of field IDs after confirming the initial unauthorized read.
Evidence of Exploitation
Video of exploitation:
Our security policy
We have reserved the ID CVE-2026-14871 to refer to this issue from now on.
System Information
osTicket
Versions: v1.18.3 and v1.17.7
Operating System: Any deployment running the affected osTicket versions.
References
GitHub Repository: https://github.com/osTicket/osTicket/
Researcher advisory: https://medium.com/p/1abb8be847e6
Researcher PoC: https://github.com/JFOZ1010/CVE-2026-14871
Patch: https://github.com/osTicket/osTicket/releases/tag/v1.18.4 and https://github.com/osTicket/osTicket/releases/tag/v1.17.8
Mitigation
An updated version of osTicket is available at the vendor page.
Credits
The vulnerability was discovered by Juan Felipe Osorio Z, an independent security researcher.
Timeline
Vulnerability discovered
Vendor contacted
Vendor replied
Vendor confirmed
Vulnerability patched
Public disclosure
Does your application use this vulnerable software?
During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.













