Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.
This issue affects OTRS with STORM modules:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.4.X
AnalysisAI
Information disclosure in OTRS Document Search Article Meta Filters modules (present in both STORM-powered OTRS and standalone OTRS 2026.x) permits authenticated low-privileged users to enumerate metadata - specifically the count of Configuration Items (CIs), SLAs, and services - for objects they are not authorized to access. Affected versions span OTRS with STORM modules 7.0.X through 2026.X before 2026.4.X, making this a broad version-range exposure with a low CVSS score of 3.5. No public exploit identified at time of analysis and the vulnerability has not been added to the CISA KEV catalog.
Technical ContextAI
OTRS is an enterprise IT Service Management (ITSM) platform; STORM is an optional module bundle that extends OTRS with additional ITSM capabilities. The Document Search Article Meta Filters feature allows users to query and filter service desk articles by associated metadata such as Configuration Items (CIs), SLAs, and services. The root cause is CWE-276 (Incorrect Default Permissions), meaning the module's permission enforcement logic does not correctly gate metadata count results against the requesting user's authorization scope. As a result, the filter response leaks aggregate counts (e.g., '5 CIs match') for restricted objects, even when the user has no read rights to those objects. The affected CPE is cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*, covering the broad OTRS product line under OTRS AG.
RemediationAI
Upgrade OTRS with STORM modules to version 2026.4.X or later, which contains the corrected permission handling in the Document Search Article Meta Filters module; this is the only confirmed fix per the vendor advisory at https://otrs.com/release-notes/otrs-security-advisory-2026-05/. For organizations unable to upgrade immediately, a viable compensating control is to restrict access to the Document Search Article Meta Filters feature entirely by removing or revoking the relevant role permissions for users who do not require it - this eliminates the attack surface without requiring a version change, though it may impact legitimate search workflows. Additionally, in environments where strict data segregation between tenants or business units is critical, consider auditing current OTRS role assignments to limit the number of users with Document Search access until patching is complete.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-276 – Incorrect Default Permissions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33549
GHSA-gfw4-qw54-w5p8