Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.
This issue affects OTRS:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.4.X
AnalysisAI
Incorrect permission enforcement in OTRS External Interface and ConfigItem List module allows an authenticated customer to query Configuration Item (CI) data beyond their authorized group scope. The flaw is conditional - both the CMDB module and CustomerGroupSupport must be active simultaneously, substantially narrowing the affected population. Rated CVSS 3.5 (Low) with no confirmed active exploitation and no public exploit code identified at time of analysis, this is a scoped information disclosure risk primarily threatening organizations that expose CMDB asset data through the customer portal.
Technical ContextAI
OTRS (Open Ticket Request System) is an enterprise IT service management and helpdesk platform developed by OTRS AG. The External Interface is the customer-facing web portal, and the ConfigItem List is a component of the optional CMDB (Configuration Management Database) module used to track IT assets, services, and infrastructure as configuration items. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*. The root cause is CWE-276 (Incorrect Default Permissions), meaning access control checks governing which CI records a customer may query are improperly applied when CustomerGroupSupport is enabled - a feature intended to scope customer visibility to specific organizational groups. The flaw allows the group-level permission boundary to be bypassed through the CI list query path in the External Interface.
RemediationAI
The vendor-released patch is OTRS 2026.4.X - upgrade to this version or later as the primary remediation, per the advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-04/. Note that organizations running the long-term branches (7.0.X, 8.0.X, 2023.X-2025.X) must assess whether a cross-version upgrade is operationally feasible, as no backport versions are listed. If an immediate upgrade is not viable, disabling the CustomerGroupSupport feature removes the precondition for exploitation, though this trade-off eliminates customer group segmentation functionality. Alternatively, disabling the CMDB module entirely removes the vulnerable attack surface if CI tracking is not operationally required. As an additional compensating control, restricting External Interface access to trusted internal networks or VPN reduces exposure to externally reachable customer accounts, though it does not resolve the underlying permission flaw.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33550
GHSA-8vpg-x36g-r8gw