RT 5.0.10 -- 2026-05-20

RT 5.0.10 is now available for general use. This release addresses
several security issues and it is recommended that all users upgrade
as soon as possible. See below for details. In addition to the security
updates, this release includes improvements to inline CSS handling in
the ticket history, balancing correct display of formatted HTML email
with reasonable processing of very large emails on the server.

https://download.bestpractical.com/pub/rt/release/rt-5.0.10.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-5.0.10.tar.gz.asc

SHA-256 sums

508b8d401273da4fe1c47e642ecb6017939ef560e9cfdfeb8d18ef41e4dbc5e6 rt-5.0.10.tar.gz
0eff93782c51fdda2bbc998d313f4a8779d627e9ac6026a05673dca07c50b153 rt-5.0.10.tar.gz.asc

Security

The following security issues are fixed in this release.

• RT 5.0 is vulnerable to privilege escalation and information
  disclosure via the REST 2.0 user collection endpoint. A Privileged RT
  user can obtain authentication credentials belonging to other users,
  including administrators, and use those credentials to read data via
  RT's RSS and iCal feed endpoints. The same request that exposes the
  credentials also rotates them, which invalidates previously-distributed
  feed URLs across the instance. This vulnerability is assigned
  CVE-2026-44231. Thanks to Jeroen Gui for reporting this finding.

• RT 5.0 is vulnerable to SQL injection via the entry_aggregator
  parameter in JSON search. An authenticated user can craft input that is
  incorporated into database queries without proper validation,
  potentially allowing them to read or modify data in the RT database.
  This vulnerability is assigned CVE-2026-41075.

• RT 5.0 is vulnerable to an LDAP authentication bypass when RT is
  configured to authenticate users against an LDAP or Active Directory
  server. Under certain LDAP server configurations, an attacker may be
  able to authenticate as any LDAP-backed RT user without supplying valid
  credentials. This vulnerability is assigned CVE-2026-41076.

• RT 5.0 is vulnerable to reflected cross-site scripting via the search
  "Page" URL parameter. This vulnerability is assigned CVE-2026-6841.
  Thanks to Aleksander Iwicki and CERT Polska for reporting this finding.

• RT 5.0 is vulnerable to reflected cross-site scripting via additional
  URL parameters on search pages. This vulnerability is assigned
  CVE-2026-44227.

• RT 5.0.4 and later are vulnerable to reflected cross-site scripting
  on search-results chart pages. This vulnerability is assigned
  CVE-2026-44230.

• RT 5.0 is vulnerable to cross-site scripting via uploaded content
  that is served inline rather than as an attachment. This vulnerability
  is assigned CVE-2026-44229.

• RT 5.0 is vulnerable to spreadsheet (CSV/formula) injection via
  ticket values that are exported to a spreadsheet from search results.
  User-controlled data is not sanitized before being written to the
  output file, which can cause spreadsheet applications such as Microsoft
  Excel to interpret crafted values as formulas or macros when the file
  is opened. This vulnerability is assigned CVE-2026-41073.

General user features

• Make TicketStatus available in transaction search results
• Process ticket date fields consistently on transaction searches
• Add support for ticket time fields in transaction searches
• Show disabled owners in search results and add disabled indicator

Documentation

• Document the scheme support for ReferrerWhitelist config

Administration

• Handle non-HTTP URI schemes in Referer header for CSRF checks
• Abstract inline CSS feature
• Support to customize INLINE_CSS_MAX_SIZE and INLINE_CSS_MAX_TAGS via env
• Ignore the pre selector when inlining CSS for incoming emails
• Skip inlining CSS for content with over 3k tags
• Shred only queue-level scrips when shredding templates

Internals

• Remove obsolete TSVExport that was for assets
• Avoid unnecessary database queries for non-existent report data
• Fully initialize RT::Configuration on RT init
• Avoid warnings for invalid user records
• Require RT::Base before _ImportOverlays in non-inheriting modules
• Ignore negative answers of equivalent object cache
• Skip Symbol::Global::Name scan during DB config reload
• Add a new backcompat-preinit hook to cover CustomRoles updates
• Add backcompat code to cover changes to CustomRoles
• Use raw content for JS squishing to avoid auto-decoding under Plack 1.0052

Testing

• Support WWW::Mechanize v2.20 (thanks andrew!)
• Test that TicketStatus shows results in transaction searches
• Test transaction searches with ticket dates like TicketResolved
• Test the scheme support for ReferrerWhitelist config
• Test shredding queues and queue-level templates
• Fix GnuPG warning test to work across GnuPG versions

A complete changelog is available from git by running:
git log rt-5.0.9..rt-5.0.10
or visiting
https://github.com/bestpractical/rt/compare/rt-5.0.9...rt-5.0.10