CVE-2026-41074

Description

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

Low

Affected products

bestpractical / rt>= 6.0.0, < 6.0.3 – >= 6.0.0, < 6.0.3

References

VENDOR_ADVISORYhttps://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j
PATCHhttps://github.com/bestpractical/rt/releases/tag/rt-6.0.3