CVE-2026-8194 Overview
CVE-2026-8194 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting osTicket versions up to 1.18.3. The flaw resides in an unknown function within include/class.dispatcher.php, part of the Dispatcher component. Manipulation of the _method argument allows attackers to bypass CSRF protections and trigger unintended state-changing actions on behalf of an authenticated user. The vulnerability is exploitable remotely over the network and requires user interaction, such as visiting an attacker-controlled page. Public disclosure of the exploit has occurred, and the osTicket maintainers were notified through a pull request but have not yet released a fix.
Critical Impact
Attackers can forge state-changing requests against authenticated osTicket users by manipulating the _method parameter, potentially modifying ticket data or configuration without user consent.
Affected Products
- osTicket versions up to and including 1.18.3
- The include/class.dispatcher.php file in the Dispatcher component
- Deployments running unpatched osTicket installations exposed to untrusted web traffic
Discovery Timeline
- 2026-05-09 - CVE-2026-8194 published to the National Vulnerability Database
- 2026-05-11 - Last updated in NVD database
Technical Details for CVE-2026-8194
Vulnerability Analysis
The vulnerability is a CSRF weakness located in the Dispatcher component of osTicket. The Dispatcher is responsible for routing HTTP requests to the appropriate handler based on the requested method and resource. Attackers can manipulate the _method argument to bypass CSRF token validation, allowing forged requests to be processed as if they originated from a legitimate authenticated session.
Because the Dispatcher honors the _method parameter to override the HTTP verb, an attacker can craft a request that appears as a benign GET or POST while triggering a sensitive action server-side. When a logged-in osTicket user is lured to an attacker-controlled page, the browser submits the forged request with the user's session cookies attached.
Root Cause
The root cause is insufficient validation of the _method argument within include/class.dispatcher.php. CSRF protection logic does not consistently apply when the request method is overridden through this parameter. This gap permits the Dispatcher to execute state-changing operations without verifying a valid anti-CSRF token tied to the user session.
Attack Vector
Exploitation occurs over the network and requires user interaction. The attacker hosts a malicious page or sends a link that, when visited by an authenticated osTicket user, issues a crafted HTTP request containing the manipulated _method argument. The osTicket Dispatcher processes the request using the victim's authenticated session, allowing the attacker to perform actions that would normally require explicit user intent. Public exploit details are available, increasing the likelihood of opportunistic abuse.
No verified proof-of-concept code is published in this advisory. Refer to the GitHub Security Advisory and GitHub Pull Request #6945 for technical details on the bypass mechanism.
Detection Methods for CVE-2026-8194
Indicators of Compromise
- HTTP requests to osTicket endpoints containing an unexpected _method parameter, particularly with verb-override values such as PUT, DELETE, or PATCH.
- Requests with mismatched Origin or Referer headers compared to the osTicket host serving the Dispatcher.
- Unexpected state changes (ticket modifications, configuration updates) tied to user sessions without corresponding user-driven UI activity.
Detection Strategies
- Inspect web server and application logs for requests targeting paths handled by include/class.dispatcher.php that include the _method argument.
- Correlate session activity with browser navigation patterns to identify forged requests issued without legitimate user interaction.
- Deploy a Web Application Firewall (WAF) rule to flag or block requests where _method overrides the HTTP verb without a valid CSRF token.
Monitoring Recommendations
- Monitor osTicket administrative and agent actions for anomalous frequency or off-hours activity.
- Enable detailed access logging on the web server fronting osTicket to capture request bodies and query strings for forensic review.
- Alert on cross-origin requests targeting authenticated osTicket endpoints, especially from referrers outside the trusted domain.
How to Mitigate CVE-2026-8194
Immediate Actions Required
- Restrict access to osTicket administrative interfaces using network controls or VPN gating until a patch is released.
- Enforce strict SameSite=Strict or SameSite=Lax cookie attributes on osTicket session cookies to limit cross-site request submission.
- Educate agents and administrators to avoid clicking untrusted links while logged into the osTicket portal.
Patch Information
At the time of publication, the osTicket project has not released an official patch. A community pull request, GitHub Pull Request #6945, proposes a fix but has not been merged. Organizations should track the osTicket repository for an upstream release that closes the _method bypass in include/class.dispatcher.php.
Workarounds
- Apply a custom modification to include/class.dispatcher.php to validate CSRF tokens regardless of the _method parameter value.
- Deploy WAF rules that reject requests containing the _method argument when the originating Referer or Origin header does not match the osTicket host.
- Reduce session lifetime and require re-authentication for sensitive administrative actions to limit the window of CSRF abuse.
# Example WAF rule (ModSecurity) to block _method override without same-origin Referer
SecRule ARGS:_method "@rx ^(PUT|DELETE|PATCH)$" \
"id:1008194,phase:2,deny,status:403,\
chain,msg:'osTicket CVE-2026-8194 CSRF _method override'"
SecRule REQUEST_HEADERS:Referer "!@beginsWith https://osticket.example.com/"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
