USN-8506-1: Request Tracker vulnerabilities

Publication date

6 July 2026

Overview

Several security issues were fixed in Request Tracker.


Packages

Details

Aleksander Iwicki discovered that Request Tracker did not properly sanitize
the search "Page" URL parameter. A remote attacker could possibly use this
issue to conduct a reflected cross-site scripting attack. (CVE-2026-6841)

It was discovered that Request Tracker did not properly sanitize user-
controlled data written to spreadsheet exports of search results. A remote
attacker could possibly use this issue to conduct a spreadsheet
(CSV/formula) injection attack, causing spreadsheet applications to
interpret crafted values as formulas or macros when the file is opened.
(CVE-2026-41073)

It was discovered that Request Tracker did not properly validate input
incorporated into database queries via the entry_aggregator parameter in
JSON search. An authenticated user could possibly use this issue to perform
SQL injection attacks and read or modify data in...

Aleksander Iwicki discovered that Request Tracker did not properly sanitize
the search "Page" URL parameter. A remote attacker could possibly use this
issue to conduct a reflected cross-site scripting attack. (CVE-2026-6841)

It was discovered that Request Tracker did not properly sanitize user-
controlled data written to spreadsheet exports of search results. A remote
attacker could possibly use this issue to conduct a spreadsheet
(CSV/formula) injection attack, causing spreadsheet applications to
interpret crafted values as formulas or macros when the file is opened.
(CVE-2026-41073)

It was discovered that Request Tracker did not properly validate input
incorporated into database queries via the entry_aggregator parameter in
JSON search. An authenticated user could possibly use this issue to perform
SQL injection attacks and read or modify data in the RT database.
(CVE-2026-41075)

It was discovered that Request Tracker contained an authentication bypass
when configured to authenticate users against an LDAP or Active Directory
server. Under certain LDAP server configurations, a remote attacker could
possibly use this issue to authenticate as any LDAP-backed RT user without
supplying valid credentials. (CVE-2026-41076)

It was discovered that Request Tracker served certain uploaded content
inline rather than as an attachment. A remote attacker could possibly use
this issue to conduct a cross-site scripting attack. (CVE-2026-44229)

It was discovered that Request Tracker did not properly sanitize input on
search-results chart pages. A remote attacker could possibly use this issue
to conduct a reflected cross-site scripting attack. (CVE-2026-44230)

Jeroen Gui discovered that Request Tracker did not properly restrict access
to the REST 2.0 user collection endpoint. A privileged user could possibly
use this issue to obtain authentication credentials belonging to other
users, including administrators, resulting in privilege escalation and
information disclosure. (CVE-2026-44231)


Update instructions

After a standard system update you need to restart request-tracker5 to make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
26.04 LTS resolute request-tracker5 –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-apache2 –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-clients –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-db-mysql –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-db-postgresql –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-db-sqlite –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-fcgi –  5.0.7+dfsg-6ubuntu0.1~esm1  
rt5-standalone –  5.0.7+dfsg-6ubuntu0.1~esm1  
24.04 LTS noble request-tracker5 –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-apache2 –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-clients –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-db-mysql –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-db-postgresql –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-db-sqlite –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-fcgi –  5.0.5+dfsg-2ubuntu0.1~esm2  
rt5-standalone –  5.0.5+dfsg-2ubuntu0.1~esm2  
22.04 LTS jammy request-tracker5 –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-apache2 –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-clients –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-db-mysql –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-db-postgresql –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-db-sqlite –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-fcgi –  5.0.1+dfsg-1ubuntu1+esm2  
rt5-standalone –  5.0.1+dfsg-1ubuntu1+esm2  

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›