Vulnerability Description
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (RouteMate) login flow. An attacker positioned on the network path between the server and the remote endpoint can present a forged certificate to intercept, monitor, or modify the request and response, including any API keys or session-bearing data in transit.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/openises/tickets/commit/ecfeb406a016766cae81c749e14b5145a9f2d
- https://github.com/openises/tickets/releases/tag/v3.44.2
- https://www.vulncheck.com/advisories/open-ises-tickets-disabled-tls-certificate-
FAQ
What is CVE-2026-48249?
CVE-2026-48249 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing o...
How severe is CVE-2026-48249?
CVE-2026-48249 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-48249?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.