Severity by source
AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.3.X
AnalysisAI
Uncontrolled resource consumption in OTRS admin interface SQL Box causes denial of service against the webserver, affecting OTRS 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and 2026.x before 2026.3. The vulnerability requires high-privilege admin access and user interaction, limiting real-world impact to authenticated administrators performing deliberate actions. No public exploit code or active exploitation has been identified.
Technical ContextAI
The SQL Box feature in OTRS admin interface implements a query execution mechanism vulnerable to resource exhaustion (CWE-400: Uncontrolled Resource Consumption). This administrative tool, intended for system maintenance tasks, lacks proper input validation or execution resource limits on SQL queries executed through the web interface. The vulnerability allows a malicious admin to craft SQL statements that consume excessive CPU, memory, or I/O resources on the webserver, causing performance degradation or service unavailability. The CPE cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:* indicates the entire OTRS product line is affected across all architectures and implementations.
RemediationAI
Upgrade OTRS to version 2026.3 or later to resolve the SQL Box resource consumption issue. For administrators unable to immediately upgrade, implement access control restrictions on the admin interface by limiting SQL Box feature access to a minimal set of trusted administrators, or disable the SQL Box feature entirely if not required for operational maintenance. Monitor webserver process resource utilization (CPU, memory) and establish alerts for anomalous consumption patterns that may indicate exploitation attempts. The vendor advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-01/ provides additional context and should be reviewed before patching to ensure compatibility with local customizations.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23933