Skip to main content

OTRS EUVDEUVD-2026-33518

| CVE-2026-48210 MEDIUM
Information Exposure (CWE-200)
2026-05-31 OTRS GHSA-f9pc-83mw-48hx
5.7
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 31, 2026 - 21:50 vuln.today

DescriptionCVE.org

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend

This issue affects OTRS 2026.3.1

AnalysisAI

Unintended internal ticket data exposure in OTRS 2026.3.1 occurs because the ticket article forwarding feature enforces the 'Is visible for customer' flag by default and provides no UI control to override it. Authenticated agents who forward ticket articles will inadvertently expose internal communications or notes to customers through the External Frontend without any warning or opt-out. No public exploit code exists and this is not listed in CISA KEV, but the high confidentiality impact (C:H in CVSS) makes this a meaningful data-leak risk for organizations handling sensitive support workflows.

Technical ContextAI

OTRS (Open Ticket Request System) is an enterprise service management platform used for customer support and internal IT operations. The affected component is the ticket article forwarding workflow, which relies on a visibility flag ('Is visible for customer') to control whether ticket content is surfaced to the customer-facing External Frontend portal. According to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), the root cause is an improper default configuration - the flag defaults to enabled during forwarding and the UI suppresses the toggle control, removing the agent's ability to override it. This means any internal notes, inter-agent communications, or sensitive ticket metadata attached during forwarding are automatically marked as customer-visible. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:* scoped to version 2026.3.1.

RemediationAI

Apply the vendor-released fix per the OTRS Security Advisory 2026-09 at https://otrs.com/release-notes/otrs-security-advisory-2026-09/. No exact patched version number was provided in available data, so confirm the target upgrade version directly from the advisory before deploying. As a compensating control pending patching, administrators should instruct agents to avoid using the ticket article forwarding feature for articles that contain internal-only content, and should audit existing forwarded articles in the External Frontend for inadvertent disclosures. Additionally, review OTRS system configuration for any settings that govern visibility defaults on article actions and assess whether a configuration-level override is available in the admin panel. Note that restricting access to the forwarding feature entirely would prevent information leakage but would also disrupt legitimate forwarding workflows.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

EUVD-2026-33518 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy