Primary

Context

Request Tracker LDAP Authentication Bypass Vulnerability

Vulnerability

Patched

A vulnerability allowing authentication bypass has been identified in Request Tracker (RT) versions 5.0.9 and prior, as well as 6.0.0 through 6.0.2, when LDAP or Active Directory is used for user authentication. Under certain LDAP server configurations, an attacker could authenticate as any LDAP-backed RT user without valid credentials.

Impact

Exploitation of this vulnerability allows an attacker to bypass authentication and gain access as an LDAP user, potentially leading to unauthorized actions or access within the RT system.

Remediation

Users are advised to upgrade to RT version 5.0.10 or 6.0.3. For those unable to upgrade immediately, a temporary workaround is to review the LDAP server's authentication policy to ensure it rejects unauthenticated bind attempts.

Added: May 26, 2026, 2:22 PM

Updated: May 26, 2026, 2:22 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

7.0

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

5.0

exploitability

7.0

remediation

8.3

relevance

9.1

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Request Tracker LDAP Authentication Bypass Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Best Practical Solutions RT

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating