8.1
CVE-2026-41076
- EPSS 0.39%
- Veröffentlicht 22.05.2026 21:36:21
- Zuletzt bearbeitet 26.05.2026 20:03:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
RT: LDAP authentication bypass via empty password
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbestpractical
≫
Produkt
rt
Version
< 5.0.10
Status
affected
Version
>= 6.0.0, < 6.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.39% | 0.308 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx