Skip to main content

OTRS EUVDEUVD-2026-33549

| CVE-2026-48191 LOW
Incorrect Default Permissions (CWE-276)
2026-06-01 OTRS GHSA-gfw4-qw54-w5p8
3.5
CVSS 3.1 · Vendor: OTRS

Severity by source

Vendor (OTRS) PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:20 vuln.today

DescriptionCVE.org

An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

This issue affects OTRS with STORM modules:

  • 7.0.X
  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X

AnalysisAI

Information disclosure in OTRS Document Search Article Meta Filters modules (present in both STORM-powered OTRS and standalone OTRS 2026.x) permits authenticated low-privileged users to enumerate metadata - specifically the count of Configuration Items (CIs), SLAs, and services - for objects they are not authorized to access. Affected versions span OTRS with STORM modules 7.0.X through 2026.X before 2026.4.X, making this a broad version-range exposure with a low CVSS score of 3.5. No public exploit identified at time of analysis and the vulnerability has not been added to the CISA KEV catalog.

Technical ContextAI

OTRS is an enterprise IT Service Management (ITSM) platform; STORM is an optional module bundle that extends OTRS with additional ITSM capabilities. The Document Search Article Meta Filters feature allows users to query and filter service desk articles by associated metadata such as Configuration Items (CIs), SLAs, and services. The root cause is CWE-276 (Incorrect Default Permissions), meaning the module's permission enforcement logic does not correctly gate metadata count results against the requesting user's authorization scope. As a result, the filter response leaks aggregate counts (e.g., '5 CIs match') for restricted objects, even when the user has no read rights to those objects. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*, covering the broad OTRS product line under OTRS AG.

RemediationAI

Upgrade OTRS with STORM modules to version 2026.4.X or later, which contains the corrected permission handling in the Document Search Article Meta Filters module; this is the only confirmed fix per the vendor advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-05/. For organizations unable to upgrade immediately, a viable compensating control is to restrict access to the Document Search Article Meta Filters feature entirely by removing or revoking the relevant role permissions for users who do not require it - this eliminates the attack surface without requiring a version change, though it may impact legitimate search workflows. Additionally, in environments where strict data segregation between tenants or business units is critical, consider auditing current OTRS role assignments to limit the number of users with Document Search access until patching is complete.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

EUVD-2026-33549 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy