Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected.
This issue affects OTRS:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.4.X
AnalysisAI
Improper input validation in the OTRS Customer Backend module allows authenticated low-privilege users to bypass group-based access controls and read customer records restricted to other groups. Affected versions span every major OTRS release line (7.0.X through 2026.X before 2026.4.X), though exploitation is gated by a non-default configuration requirement. No public exploit identified at time of analysis and this vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
OTRS (Open Ticket Request System) is an enterprise service management platform by OTRS AG, identified under CPE cpe:2.3:a:otrs_ag:otrs:*:*:*:*:*:*:*:*. The affected component is the Customer Backend module, which handles customer data lookups and presentation within the OTRS agent interface. When the CustomerGroupSupport feature is enabled, OTRS enforces group-based segmentation of customer records, restricting which agents or customer users can view which customer data sets. The root cause is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): the module fails to validate input in a way that enforces these group boundaries, permitting a request to retrieve customer data outside the caller's authorized group scope. This is a logic-level input validation failure rather than a memory corruption or injection class vulnerability.
RemediationAI
The vendor-released patch is OTRS 2026.4.X, confirmed by the OTRS Security Advisory 2026-03 at https://otrs.com/release-notes/otrs-security-advisory-2026-03/. Organizations should upgrade to OTRS 2026.4.X or later as the primary remediation. For organizations unable to patch immediately, a direct compensating control is to disable the CustomerGroupSupport feature; this eliminates the vulnerable code path entirely but also removes group-based customer segmentation, which may be a business-critical capability. A secondary compensating control is to restrict access to the OTRS agent interface to trusted internal network segments via firewall or reverse proxy ACLs, reducing the network-reachable attack surface (AV:N) to a more limited exposure. Administrators should review which agent accounts hold low-privilege access and audit their group memberships as a temporary detective measure while patching is planned.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33551
GHSA-9prp-8cr9-jvwq