Skip to main content

OTRS CVE-2026-48190

| EUVDEUVD-2026-33550 LOW
Incorrect Default Permissions (CWE-276)
2026-06-01 OTRS GHSA-8vpg-x36g-r8gw
3.5
CVSS 3.1 · Vendor: OTRS

Severity by source

Vendor (OTRS) PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:23 vuln.today

DescriptionCVE.org

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS:

  • 7.0.X
  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X

AnalysisAI

Incorrect permission enforcement in OTRS External Interface and ConfigItem List module allows an authenticated customer to query Configuration Item (CI) data beyond their authorized group scope. The flaw is conditional - both the CMDB module and CustomerGroupSupport must be active simultaneously, substantially narrowing the affected population. Rated CVSS 3.5 (Low) with no confirmed active exploitation and no public exploit code identified at time of analysis, this is a scoped information disclosure risk primarily threatening organizations that expose CMDB asset data through the customer portal.

Technical ContextAI

OTRS (Open Ticket Request System) is an enterprise IT service management and helpdesk platform developed by OTRS AG. The External Interface is the customer-facing web portal, and the ConfigItem List is a component of the optional CMDB (Configuration Management Database) module used to track IT assets, services, and infrastructure as configuration items. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*. The root cause is CWE-276 (Incorrect Default Permissions), meaning access control checks governing which CI records a customer may query are improperly applied when CustomerGroupSupport is enabled - a feature intended to scope customer visibility to specific organizational groups. The flaw allows the group-level permission boundary to be bypassed through the CI list query path in the External Interface.

RemediationAI

The vendor-released patch is OTRS 2026.4.X - upgrade to this version or later as the primary remediation, per the advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-04/. Note that organizations running the long-term branches (7.0.X, 8.0.X, 2023.X-2025.X) must assess whether a cross-version upgrade is operationally feasible, as no backport versions are listed. If an immediate upgrade is not viable, disabling the CustomerGroupSupport feature removes the precondition for exploitation, though this trade-off eliminates customer group segmentation functionality. Alternatively, disabling the CMDB module entirely removes the vulnerable attack surface if CI tracking is not operationally required. As an additional compensating control, restricting External Interface access to trusted internal networks or VPN reduces exposure to externally reachable customer accounts, though it does not resolve the underlying permission flaw.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

CVE-2026-48190 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy