CVE-2026-41076HIGH 8.1EPSS p37.6%

CVE-2026-41076CVE-2026-41076

Description

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user without supplying valid credentials. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by reviewing their LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts. Upgrading RT remains the recommended fix.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.48% probability of exploitation · percentile 37.6% · 2026-06-18T12:00:27Z
Published2026-05-22
Last modified2026-05-26

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
  2. https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
  3. https://github.com/bestpractical/rt/security/advisories/GHSA-3w28-fmcr-mjjx

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41075
CVE
Progress Telerik Report Server Authentication Bypass by Spoofing Vulnerability
CVE
CVE-2025-64236
CVE
CVE-2026-10611
CVE
CVE-2026-6841
CVE
CVE-2026-41103
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.