Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend
This issue affects OTRS 2026.3.1
AnalysisAI
Unintended internal ticket data exposure in OTRS 2026.3.1 occurs because the ticket article forwarding feature enforces the 'Is visible for customer' flag by default and provides no UI control to override it. Authenticated agents who forward ticket articles will inadvertently expose internal communications or notes to customers through the External Frontend without any warning or opt-out. No public exploit code exists and this is not listed in CISA KEV, but the high confidentiality impact (C:H in CVSS) makes this a meaningful data-leak risk for organizations handling sensitive support workflows.
Technical ContextAI
OTRS (Open Ticket Request System) is an enterprise service management platform used for customer support and internal IT operations. The affected component is the ticket article forwarding workflow, which relies on a visibility flag ('Is visible for customer') to control whether ticket content is surfaced to the customer-facing External Frontend portal. According to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), the root cause is an improper default configuration - the flag defaults to enabled during forwarding and the UI suppresses the toggle control, removing the agent's ability to override it. This means any internal notes, inter-agent communications, or sensitive ticket metadata attached during forwarding are automatically marked as customer-visible. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:* scoped to version 2026.3.1.
RemediationAI
Apply the vendor-released fix per the OTRS Security Advisory 2026-09 at https://otrs.com/release-notes/otrs-security-advisory-2026-09/. No exact patched version number was provided in available data, so confirm the target upgrade version directly from the advisory before deploying. As a compensating control pending patching, administrators should instruct agents to avoid using the ticket article forwarding feature for articles that contain internal-only content, and should audit existing forwarded articles in the External Frontend for inadvertent disclosures. Additionally, review OTRS system configuration for any settings that govern visibility defaults on article actions and assess whether a configuration-level override is available in the admin panel. Note that restricting access to the forwarding feature entirely would prevent information leakage but would also disrupt legitimate forwarding workflows.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33518
GHSA-f9pc-83mw-48hx