~/home/news/cve-2026-22200-ticket-shell-2026-01-24
newsFriday, January 23, 20268 min read👁 21 views

CVE-2026-22200: Ticket-to-Shell in osTicket - PHP Filter RCE

A critical remote code execution flaw (CVE-2026-22200) allows unauthenticated attackers to inject malicious PHP filter chains into osTicket tickets and exfiltrate files via PDF export. The vulnerability, patched in osTicket 1.18.3/1.17.7, threatens any self-hosted deployment.

osTicketCVE-2026-22200Remote Code ExecutionPHP Filters

Overview/Introduction

On January 22, 2026, Horizon3.ai disclosed CVE-2026-22200, a high-impact vulnerability in the popular open-source help-desk platform osTicket. The flaw enables an unauthenticated attacker to inject arbitrary PHP filter chains into a ticket description, force the mPDF library to render those filters as bitmap images, and ultimately achieve both arbitrary file reads and remote code execution (RCE). When combined with the previously disclosed CVE-2024-2961 (CNEXT), the attack surface widens dramatically, giving the attacker a near-direct “ticket-to-shell” path.

osTicket powers thousands of internal help-desk instances across enterprises, managed service providers (MSPs), and educational institutions. Because many deployments expose the ticket-viewing endpoint to the public (guest tickets are enabled by default), the vulnerability can be exploited without any credentials, making it a prime candidate for automated scanning and mass exploitation.

Technical Details

CVE Identifier and Affected Versions

CVE-2026-22200 affects all osTicket versions prior to 1.18.3 and 1.17.7. The vulnerability resides in the ticket-export workflow that hands off user-controlled content to the mPDF PDF generation library.

Attack Vector

The exploit chain can be broken down into three logical steps:

  • Input Injection: An attacker creates a new ticket (or replies to an existing one) and embeds a specially crafted src attribute in an <img> tag. The attribute contains a PHP filter chain expression, for example:
    <img src="php://filter/convert.base64-encode/resource=/etc/passwd">
  • PDF Rendering Trigger: A user (or the attacker themselves) clicks the “Export to PDF” button. osTicket calls mPDF with the ticket HTML. mPDF resolves the src attribute, processes the PHP filter, and embeds the resulting data as a bitmap image inside the PDF.
  • Data Exfiltration / Code Execution: The generated PDF contains the base64-encoded contents of the target file (e.g., /etc/passwd, .ssh/id_rsa, or any readable file). The attacker downloads the PDF and extracts the image to retrieve the plaintext. When the filter chain references a PHP file that contains malicious code (e.g., a web-shell placed via another upload vector), the mPDF library will execute it, effectively achieving RCE. Chaining with CVE-2024-2961 (CNEXT) allows the attacker to write a PHP web-shell to the web root, completing the “ticket-to-shell” loop.

Why PHP Filters Matter

PHP’s php://filter wrapper permits on-the-fly transformation of streams. By chaining filters (e.g., convert.base64-encode), an attacker can turn any readable file into a printable string without needing direct file-read functions. The vulnerability arises because osTicket does not sanitize or whitelist URLs passed to mPDF, effectively trusting user-provided markup.

Proof-of-Concept (Simplified)

POST /osticket/upload.php HTTP/1.1
Host: tickets.example.com
Content-Type: multipart/form-data; boundary=---12345

---12345
Content-Disposition: form-data; name="message"

<img src="php://filter/convert.base64-encode/resource=/var/www/html/config.php" />
---12345--

After the ticket is created, the attacker navigates to /osticket/view.php?id=XYZ&export=pdf. The resulting PDF contains the base64-encoded config.php, which can be decoded to obtain database credentials and other secrets.

Impact Analysis

The vulnerability is classified as Critical for several reasons:

  • Unauthenticated Exploitation: No credentials are required; the attacker only needs to reach the ticket-creation endpoint.
  • Arbitrary File Read: Any file readable by the web-server user can be exfiltrated, including configuration files, credential stores, and private keys.
  • Remote Code Execution: By leveraging PHP filter chains or chaining with CVE-2024-2961, an attacker can execute arbitrary PHP code and obtain a foothold on the host.
  • Broad Deployment Base: osTicket is widely used in SMBs, MSPs, and even large enterprises that self-host the application.

Compromise of a ticketing system often leads to exposure of internal support emails, VPN tokens, and other privileged data, making it a potent pivot point for lateral movement within a network.

Timeline of Events

  • 2025-11-12: Initial internal security review of osTicket’s PDF export module by Horizon3.ai.
  • 2026-01-04: Proof-of-concept code for PHP filter injection completed.
  • 2026-01-15: Coordination with osTicket maintainers begins; responsible disclosure initiated.
  • 2026-01-20: Vendor releases patches for 1.18.3 and 1.17.7.
  • 2026-01-22: Public disclosure via Horizon3.ai blog (this article) and MITRE CVE entry.

Mitigation/Recommendations

  • Apply Vendor Patch Immediately: Upgrade to osTicket 1.18.3 or 1.17.7, which sanitizes image URLs and disables the use of php://filter in the PDF export path.
  • Disable Guest Ticket Access: If not required, turn off unauthenticated ticket creation/viewing in the admin panel.
  • Restrict PHP Filters: Add allow_url_include=0 and disable_functions=phpinfo,exec,shell_exec,system in php.ini. Consider disabling the php://filter wrapper via allow_url_fopen=0 if the application does not rely on it.
  • Web-Application Firewall (WAF) Rules: Deploy rules that block php://filter strings in request bodies and URLs.
  • File-System Permissions: Run the web server under a least-privilege user and ensure it cannot read files outside the document root unless explicitly required.
  • Monitor for PDF Export Abuse: Log and alert on unusually large numbers of PDF export requests, especially from new or unauthenticated IPs.
  • Regular Patch Management: Subscribe to osTicket security mailing lists and integrate automated updates into your CI/CD pipeline.

Real-World Impact

Enterprises that host osTicket internally often integrate it with LDAP, SSO, and internal ticket-routing workflows. A compromised ticketing system can expose:

  • Active Directory service account passwords stored in configuration files.
  • API keys for third-party services (e.g., Slack, PagerDuty, cloud providers).
  • Internal IP addresses and network topology details embedded in ticket descriptions.
  • Customer PII when tickets contain attached screenshots or logs.

In a simulated breach, Horizon3.ai demonstrated that a single crafted ticket could retrieve /etc/shadow from an Ubuntu 22.04 host running osTicket, then use the extracted password hash to pivot into the host’s SSH service. This chain underscores why the vulnerability is rated critical.

Expert Opinion

From a broader industry perspective, CVE-2026-22200 highlights two persistent challenges:

  1. Legacy Third-Party Libraries: The mPDF library, while powerful, was not originally designed with modern threat models in mind. Applications that embed such libraries must treat them as potential attack surfaces and enforce strict input validation.
  2. Assumed Trust in User Content: Ticketing systems frequently allow end-users to submit rich text, images, and attachments. Treating this data as “safe” is a dangerous assumption. The principle of “never trust user input” must be baked into the design of every export or rendering pipeline.

Enterprises should view this incident as a reminder to audit all “document-generation” features, especially those that interact with the filesystem. Moreover, the rapid adoption of PHP filter chain exploits suggests that defenders need to broaden their detection signatures beyond classic RFI/LFI patterns.

In short, the ticket-to-shell technique is a clever evolution of classic web-application abuse, but the mitigation steps are straightforward. Prompt patching, hardening of PHP configurations, and a zero-trust stance on user-supplied markup will neutralize the threat. Organizations that fail to act quickly risk a full server compromise that could cascade into broader network breaches.