RT 6.0.3 -- 2026-05-20

RT 6.0.3 is now available for general use. This release addresses
several security issues and it is recommended that all users upgrade
as soon as possible. See below for details.

In addition to the security updates, this release includes many new
features and updates. Saved searches on dashboards now support pagination
and sorting. Statuses can be assigned colors in the lifecycle configuration.
Accessibility is improved, especially with keyboard menu navigation.
The default custom field display is now multi-column, making it more
dense, showing more information above the fold. And there are many more
updates, improvements, and optimizations.

https://download.bestpractical.com/pub/rt/release/rt-6.0.3.tar.gz
https://download.bestpractical.com/pub/rt/release/rt-6.0.3.tar.gz.asc

SHA-256 sums

117b53e7a46e82ade662050d98920f1255865ca873d6bec80036085b17dd3dc6 rt-6.0.3.tar.gz
551d62dc23a2b3a7f06b97f6fd09bd0ecc617a1b8949697b166c0865ffc45348 rt-6.0.3.tar.gz.asc

Note: Missed Patch for TSV Export Header Injection

After the release of RT 6.0.3, we discovered that a fix for spreadsheet injection via
TSV export headers was included in RT 5.0.10 but inadvertently left out of RT 6.0.3.
The patch below completes the mitigation for CVE-2026-41073. We recommend all RT 6.0.3
users apply the following patch, which will be included in RT 6.0.4:

https://github.com/bestpractical/rt/commit/525547751b76cc422015960bae3056f4e8d4351f.patch

Security

The following security issues are fixed in this release.

• RT 6.0 is vulnerable to privilege escalation and information
  disclosure via the REST 2.0 user collection endpoint. A Privileged RT
  user can obtain authentication credentials belonging to other users,
  including administrators, and use those credentials to read data via
  RT's RSS and iCal feed endpoints. The same request that exposes the
  credentials also rotates them, which invalidates previously-distributed
  feed URLs across the instance. This vulnerability is assigned
  CVE-2026-44231. Thanks to Jeroen Gui for reporting this finding.

• RT 6.0 is vulnerable to SQL injection via the entry_aggregator
  parameter in JSON search. An authenticated user can craft input that is
  incorporated into database queries without proper validation,
  potentially allowing them to read or modify data in the RT database.
  This vulnerability is assigned CVE-2026-41075.

• RT 6.0 is vulnerable to an LDAP authentication bypass when RT is
  configured to authenticate users against an LDAP or Active Directory
  server. Under certain LDAP server configurations, an attacker may be
  able to authenticate as any LDAP-backed RT user without supplying valid
  credentials. This vulnerability is assigned CVE-2026-41076.

• RT 6.0 is vulnerable to Cross-Site Request Forgery (CSRF) for
  authenticated users. An attacker who can induce a logged-in RT user to
  visit a malicious web page can trigger arbitrary state-changing actions
  in RT on that user's behalf. This vulnerability is assigned
  CVE-2026-41074.

• RT 6.0 is vulnerable to stored cross-site scripting via insufficient
  escaping in templates. This vulnerability is assigned CVE-2026-44228.

• RT 6.0 is vulnerable to reflected cross-site scripting via the search
  "Page" URL parameter. This vulnerability is assigned CVE-2026-6841.
  Thanks to Aleksander Iwicki and CERT Polska for reporting this finding.

• RT 6.0 is vulnerable to reflected cross-site scripting via additional
  URL parameters on search pages. This vulnerability is assigned
  CVE-2026-44227.

• RT 6.0 is vulnerable to reflected cross-site scripting on
  search-results chart pages. This vulnerability is assigned
  CVE-2026-44230.

• RT 6.0 is vulnerable to cross-site scripting via uploaded content
  that is served inline rather than as an attachment. This vulnerability
  is assigned CVE-2026-44229.

• RT 6.0 is vulnerable to spreadsheet (CSV/formula) injection via
  ticket values that are exported to a spreadsheet from search results.
  User-controlled data is not sanitized before being written to the
  output file, which can cause spreadsheet applications such as Microsoft
  Excel to interpret crafted values as formulas or macros when the file
  is opened. This vulnerability is assigned CVE-2026-41073.

General user features

• Add style to allow resizing CKEditor height
• Restore new as default status for cloned tickets
• Escape calendar headers
• Fix the empty encryption error message on ticket search result page
• Support showing TicketStatus in transaction searches
• Process ticket date fields consistently on transaction searches
• Respect HideUnsetFieldsOnDisplay user preference in page layouts
• Support showing a search from an RT shortener code
• Use saved search Rows setting when showing portlets
• Add support for ticket time fields in transaction searches
• Support keyboard navigation in main and page menus
• Move skip navigation link to top of page
• Update menu timers to avoid closing menus unexpectedly
• Keep dynamic modal forms open if submission fails
• Reset inline editing row if Reply/Comment/Description submission fails
• Reset inline edit row if request succeeded without data changes
• Emphasize correct parentheses for mixed AND/OR queries
• Do not reset category select after adding a value
• Add a new type of article to display a list of links
• Support rendering links type articles in dashboards
• Focus on main content area after navigation
• Add a keyboard shortcut to jump to the page navigation
• Add a keyboard shortcut to jump to the main navigation
• Update keyboard shortcut modal content and layout
• Avoid double tab on tom-select dropdown input elements
• Show an error message when articles can't be changed to Links type
• Support user overrides for saved searches
• Display pagination on dashboard saved searches
• Support sorting by column in dashboard saved searches
• Scroll to the top of the portlet when loading a new page
• Do not render pagination and sorting links in dashboard emails
• The title link of ShowSearch only works for privileged users
• Make Calendar work with shortener code
• Support Calendar for unprivileged users
• Support using saved search Rows setting in dashboard emails
• Respect subscription settings only for dashboard emails
• Support other search types in ShowSearch
• Support reload for self service searches
• Improve spacing for stacked asset buttons
• Make AutoSubmit in SelectArticleAutocomplete consistent with SelectArticle
• Refine asset autocomplete to honor $AssetSearchFields for multi-field
  search
• Link RT logo to the official requesttracker.com domain
• Treat multiple term Simple Search input as phrase search
• Refresh inline Times form on display page
• Migrate SelfService ticket and asset pages to page layouts
• Keep autocomplete custom field dropdowns visible during search in
  inline edit
• Support various formats of date fields for calendar display mode
• Make "Jump to Unread" links work with paginated history
• Tweak the behavior of "Jump to Unread" links for clicked history
• Make "Jump to Unread" links work with scrolled history
• Support searching user custom fields in TicketSQL/AssetSQL
• Add user custom fields to query builder criteria
• Tweak role member's "NULL" searches
• Support positive group custom field criteria for role member searches
• Support grouping by user/watcher custom fields for charts
• Move Unlink action into the Actions menu
• Convert accordion show and hide to a caret control
• Position the asset Actions on the right like tickets
• Display asset values with a newspaper style layout
• Remove extra space above Name element in asset portlet
• Move ticket listing label above list of related tickets
• Make Binary/Image custom field download links work with boosted
  requests
• Restrict assets autocomplete to Privileged users
• Improve the layout and style of the add asset element
• Refresh inline asset Basics form after edit
• Show disabled owners in search results and add disabled indicator
• Localize status where missing in some ticket listings
• Color events in calendars based on status
• Provide a status filter on calendar saved searches
• Create a CALENDAR modifier for Format to set start and end
• Set new CALENDAR format modifier in the query builder
• Use new status colors in update status badge style
• Retain status background color when selected
• Use viewport bounds to position calendar popups
• Fix asset id simple search for non-Pg databases
• Do not show customize for chart saved search
• Make CF column sizing configurable in page layouts
• Add red asterisk indicator to label for required custom fields
• Split transaction actions into separate buttons
• Add "Toggle contrast" transaction action for history
• Progressively generate results for unpaginated searches
• Fix checkbox label click behavior for click-activated inline edit
  widgets
• Update saved search title on manual reload
• Construct correct pagination links in linked queues

Documentation

• Update query builder and ticket metadata docs
• Update developer docs with playwright setup
• Unify developer documentation into a single document
• Document how to use the TitleBox template and spacing behavior
• Document links type articles
• Document the scheme support for ReferrerWhitelist config
• Document changes to rows and saved searches
• Document the new "page" ShowHistory mode
• Document user CF search and chart features
• Add migration docs for cored RTx::Calendar
• Document the new calendar features
• Document color status changes in UPGRADING file
• Update docs/code since CSS::Inliner is now a core dependency
• Document the shredder index for external attachments
• Update obsolete --no-users doc in rt-dump-initialdata
• Update obsolete --no-groups doc in rt-dump-initialdata
• Reference Description for Inline Edit Behavior
• Document new Rights endpoints including examples
• Add a Content example for transactions
• Clarify tom-select missing-caret patch rationale in README

Administration

• Add a callback on the query builder advanced page
• Add a Format grammar for AI consumption
• Add a TicketSQL grammar file for AI to process and learn
• Move LLM grammar files to "etc" since the "devel" directory is not
  installed
• Set DefaultSummaryRows to undef to use saved search rows
• Add a default RowsPerPage setting for installed searches
• Use RFC 2231 encoding for non-ASCII attachment filenames in outgoing
  email
• Restrict lifecycle name to simple ascii characters
• Log user name if email address is absent in email ACL check
• Handle non-HTTP URI schemes in Referer header for CSRF checks
• Limit lifecycle names to a maximum of 32 characters
• Only display status rights that are registered by the current
  lifecycle
• Add pagination to the configuration history page
• Support searching custom fields by name on admin page
• Improve the layout of the custom field admin search form
• Add Description to the default custom field admin format
• Include Content when requested for REST 2 transactions
• Add BeforeRequestors callback to QuickCreate
• Allow status colors to be unset in lifecycle editor
• Add ModifyCalendar callback
• Prevent @members from putting users in both Privileged and
  Unprivileged groups
• Add validator checks for users in both or neither Privileged or
  Unprivileged groups
• Ignore the pre selector when inlining CSS for incoming emails
• Abstract inline CSS feature
• Skip inlining CSS for content with over 3k tags
• Support customizing INLINE_CSS_MAX_SIZE and INLINE_CSS_MAX_TAGS via
  env
• Encode filename in disposition for inline attachments
• Add REST 2 endpoints for working with rights on RT objects
• Support Lifecycle operations via REST 2 interface
• Support applying custom fields to objects via REST 2
• Limit REST 2 API Groups calls to user created groups
• Accept multiple custom field values in REST2 CF update
• Convert CF Grouping configuration to standard hash format
• Initial version of rt-config command line tool
• Correct old/new contents in the configuration created message
• Shred only queue-level scrips when shredding templates
• Allow more border styles and table class
• Include ticket custom fields in EditDescription
• Show custom fields in Description widget on ticket create

Internals

• Remove obsolete TSVExport that was for assets
• Use DateTime for date iteration to handle edge cases more reliably
• Filter unlinked reminders early to avoid unnecessary calculations
• Avoid unnecessary database queries for non-existent report data
• Fully initialize RT::Configuration on RT init
• Mark Description as a core custom field grouping
• Remove incorrect isn't operator for Description search
• Add new RT 6 tables to reset-sequences utility
• Fix invalid loc method call in CF search filter
• Move SPAN values to tds in table search results
• Standardize format align options using Bootstrap classes
• Standardize font style and size options with Bootstrap classes
• Require DateTime in upgrade script
• Prevent localization of the custom fields and roles in filters
• Dispose combobox stuff for elements to be swapped out
• Remove obsolete arguments from ticket/asset display pages
• Define a list of valid search modes
• Standardize on Bootstrap card body top padding
• Avoid warnings for invalid user records
• Remove COLUMN keyword to comply with Oracle's ALTER TABLE ADD syntax
• Remove wrong examples from formats that could be sampled
• Remove grouping spaces when generating CustomFieldInputNamePrefix
• Explicitly use simple on postgresql for ticket Description search
  strings
• Use the system user for rt-clean-shorteners
• Always delay the destruction of bootstrap objects during cleanup
• Properly check bootstrap modal state during cleanup
• Clean up status rights when building lifecycle cache
• Use asset CF by name if the object isn't loaded
• Use the RT primary CSS variable for column headings
• Delay tomselect direction check to correctly calculate dropdown size
• Migrate JSChart legend/tooltip configuration from options to
  options.plugins
• Remove obsolete striped style from history transactions
• Redirect htmx boosted requests when aborting external auth
• Decouple Times and Basics widget refresh cycles
• Change tomselect dropdown to dropup only if there is enough space at
  the top
• Fall back to document height to determine tomselect's dropdown
  direction
• Support AuthToken serialization
• Shred associated auth tokens on user shred
• Support shredding AuthToken/Configuration/Shortener rows directly
• Link general user columns of AuthTokens/Configurations/Shorteners
  for shredder
• Make sure singleton command flag file does not contain path and
  arguments
• Load main content for pages migrated to page layouts
• Register listeners early to stop htmx events from firing before
  they're ready
• Migrate simple event listeners to document delegation
• Migrate htmx:load listeners from util.js to init.js
• Migrate DOM ready code from util.js to init.js
• Disable lazy load for click/delay history widget
• Remove duplicated calendar resize handler
• Make operator consistent with watcher's shallow searches
• Make COUNT distinct in case the search joins are not distinct
• Support calculating "Summary of time worked" at the Perl level
• Expand fields out of rows loop to avoid wrong re-calculations
• Use Perl to calculate complicated data for not distinct results
• Handle minimum/maximum chart values of zero
• Remove the unneeded extra styling from the current-value class
• Register dynamic modal handlers only once
• Add "reload consume" htmx trigger for auto-refreshing saved searches
• Require RT::Base before _ImportOverlays in non-inheriting modules
• Ignore negative answers of equivalent object cache
• Add check for install mode in Redirect method
• Cache timezone options and use POSIX strftime for UTC offset labels
• Clean up obsolete Timezone metadata in Installer
• Add id tiebreak to JSON serializer object sort
• Fix potential uninitialized warnings in Queries.html for SQLite
• Fix shredding users with their own attributes failing without a
  resolver
• Skip Symbol::Global::Name scan during DB config reload
• Delay calendar popup requests
• In history scroll mode filter by transaction create and id
• Normalize lifecycle status color keys as lowercase
• Load limited user columns for RT::CurrentUser
• Lazy load big text columns
• Tweak EncodeToRFC2231 to not wrap strings into double quotes
• Remove dead ASCII branch from EncodeToRFC2231
• Skip timezone offset for ISO 8601 dates with Z suffix in
  Time::ParseDate
• Skip bookmarks for rt-dump-initialdata
• Generalize cache attribute exclusion in JSON serializer
• Skip principals for rt-dump-initialdata
• Skip links for rt-dump-initialdata
• Skip all user/group objects for rt-dump-initialdata --no-users or
  --no-groups
• Make SQL Queries page work with htmx
• Skip dropzone removedfile delete when form is submitting via htmx
• Refresh caches as needed for REST 2 calls
• Fix TransactionObj in condition for TransactionBatch scrips
• Update tom-select to version 2.5.2
• Respect abort arg for Users and Principals autocomplete endpoints
• Don't set content type for internal users autocomplete calls
• Convert CF display to columns CSS attribute
• Show SYNOPSIS section by default in command line help messages
• Explicitly pass current user to DisplayCallback
• Enable lazy load except during upgrade
• Fetch all lazy *Code columns of Scrips directly when running scrips
• Re-apply patch to tom-select to fix caret spacing issue
• Restore RowsPerPage after unpaginated CollectionList loop
• Add a new backcompat-preinit hook to cover CustomRoles updates
• Add backcompat code to cover changes to CustomRoles
• Use raw content for JS squishing to avoid auto-decoding under Plack
  1.0052
• Allow callers to enable lazy load for widget sections
• Make sure the htmx id in ShowSearch is unique

Testing

• Support WWW::Mechanize v2.20 (thanks andrew!)
• Test for Status on ticket create from clone
• Add tests to fill some gaps in TicketSQL options
• Add tests for various search Format features
• Implement automated browser testing using Playwright
• Support playwright in make test-parallel
• Remove selenium test files
• Test using updated test image with Playwright
• Remove the redundant call to $chrome->close
• Switch to PID-based database naming to avoid race conditions in tests
• Test that TicketStatus shows results in transaction searches
• Test transaction searches with ticket dates like TicketResolved
• Test HideUnsetFieldsOnDisplay preference
• Add tests for shortener support in ShowSearch
• Make QuickCreate playwright tests pass on slow machines (thanks
  andrew!)
• Make sure all test web servers run on private ports
• Test ordering assets by CF with ShowAsset rights
• Add tests for saved search sorting
• Update tests to align with the new initialdata 10 rows setting
• Test status rights cleanup
• Ensure consistent ordering of assets in tests
• Test for correct filename encoding in MIME Content headers
• Update tests for phrase searches
• Support customizing test ports via RT_TEST_PORT_RANGE environment
  variable
• Test to confirm Time values are updated in edit inputs
• Add tests for validation of lifecycle names
• Test the scheme support for ReferrerWhitelist config
• Test shredding queues and queue-level templates
• Test date column formats for calendar display mode
• Test queue-level status rights shown on rights config
• Add tests for config history pagination
• Test user custom fields searches in TicketSQL
• Test role member's "NULL" searches
• Test chart to group by requestor email
• Test ticket charts grouped by a watcher
• Move asset mech test to playwright to cover additional cases
• Add tests to confirm values are updated during inline edit
• Add tests for Content in REST 2 transactions
• Add test for chunked unpaginated search results
• Add test for install mode with htmx
• Test timezone options on AboutMe page
• Request free testing ports for playwright server
• Fix race conditions in playwright inline edit tests
• Wait for port to be free after stopping Apache in tests
• Quit Playwright Node.js server on cleanup
• Verify test server is reachable and retry with a new port if not
• Add tests for shredding users with attributes
• Update test for new status format
• Add test for CF values with same name/sort order
• Test privileged/unprivileged group membership via @members in
  initialdata
• Add validator tests for users in both or neither Privileged or
  Unprivileged groups
• Test with updated docker base image
• Test fetched columns of RT::CurrentUser
• Update tests for the SELECT query change in SearchBuilder 1.84
• Test user text columns that will be lazy loaded
• Test for correct inline disposition encoding in MIME Content headers
• Update test to ensure EncodeToRFC2231 does not wrap strings into
  double quotes
• Fix GnuPG warning test to work across GnuPG versions
• Test for ISO format dates with Z at the end
• Test principals are not exported for rt-dump-initialdata
• Test links are not exported for rt-dump-initialdata
• Test user/group groups for rt-dump-initialdata with --no-users
  /--no-groups
• Test dropzone on ticket create/update
• Add test for asset SimpleSearch including numeric id search
• Add tests for upcoming new Rights REST 2 endpoints
• Update tests for new rights hypermedia in results
• Test more REST 2 role actions for queues
• Fix race condition in inline edit tests by detecting main container
  refreshes
• Add test for TransactionBatch scrip condition TransactionObj
  iteration
• Add basic tests for new CF column width config
• Add tests for rt-config cli
• New docker test image with updated DBIx::SearchBuilder
• Test the configuration created message
• Test that tom-select caret variable units survive minification
• Test pagination in a linked queue portlet on ticket display

A complete changelog is available from git by running:
git log rt-6.0.2..rt-6.0.3
or visiting
rt-6.0.2...rt-6.0.3