Skip to main content

OTRS CVE-2026-48189

| EUVDEUVD-2026-33551 MEDIUM
Information Exposure (CWE-200)
2026-06-01 OTRS GHSA-9prp-8cr9-jvwq
5.7
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:22 vuln.today

DescriptionCVE.org

An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS:

  • 7.0.X
  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X

AnalysisAI

Improper input validation in the OTRS Customer Backend module allows authenticated low-privilege users to bypass group-based access controls and read customer records restricted to other groups. Affected versions span every major OTRS release line (7.0.X through 2026.X before 2026.4.X), though exploitation is gated by a non-default configuration requirement. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

OTRS (Open Ticket Request System) is an enterprise service management platform by OTRS AG, identified under CPE cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*. The affected component is the Customer Backend module, which handles customer data lookups and presentation within the OTRS agent interface. When the CustomerGroupSupport feature is enabled, OTRS enforces group-based segmentation of customer records, restricting which agents or customer users can view which customer data sets. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the module fails to validate input in a way that enforces these group boundaries, permitting a request to retrieve customer data outside the caller's authorized group scope. This is a logic-level input validation failure rather than a memory corruption or injection class vulnerability.

RemediationAI

The vendor-released patch is OTRS 2026.4.X, confirmed by the OTRS Security Advisory 2026-03 at https://otrs.com/release-notes/otrs-security-advisory-2026-03/. Organizations should upgrade to OTRS 2026.4.X or later as the primary remediation. For organizations unable to patch immediately, a direct compensating control is to disable the CustomerGroupSupport feature; this eliminates the vulnerable code path entirely but also removes group-based customer segmentation, which may be a business-critical capability. A secondary compensating control is to restrict access to the OTRS agent interface to trusted internal network segments via firewall or reverse proxy ACLs, reducing the network-reachable attack surface (AV:N) to a more limited exposure. Administrators should review which agent accounts hold low-privilege access and audit their group memberships as a temporary detective measure while patching is planned.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

CVE-2026-48189 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy