Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from Vendor (OTRS) · only source for this CVE.
CVSS VectorVendor: OTRS
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.
This issue affects OTRS:
- 7.0.X
- 8.0.X
- 2023.X
- 2024.X
- 2025.X
- 2026.X before 2026.4.X
- (OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
AnalysisAI
Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.
Technical ContextAI
OTRS is a widely deployed open-source ticketing and helpdesk platform written in Perl; the ((OTRS)) Community Edition is its legacy community-maintained fork (the 6.0.x line). The root cause is CWE-20 Improper Input Validation in the database abstraction layer: OTRS's escaping logic assumes the standard MySQL/MariaDB behavior of treating backslash as an escape character within string literals. When the database session is started with the NO_BACKSLASH_ESCAPES SQL mode, backslashes are treated literally, so the application's quote-escaping no longer neutralizes attacker-supplied single quotes, allowing breakout of the string context and arbitrary SQL clause injection. Because the injection sits in pre-authentication code paths, an attacker can manipulate the login query to bypass authentication entirely. CPE coverage confirms cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition as the affected products.
RemediationAI
Vendor-released patch: upgrade OTRS to the 2026.4.X line per OTRS Security Advisory 2026-02 (https://otrs.com/release-notes/otrs-security-advisory-2026-02/); the 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X branches and ((OTRS)) Community Edition 6.0.x are listed as affected without a clearly enumerated fix release in the available data, so customers on those lines should contact OTRS support or migrate to the patched 2026.4.X line. As an immediate compensating control, inspect the backing MySQL/MariaDB sql_mode (SELECT @@sql_mode) and remove NO_BACKSLASH_ESCAPES from both global and session modes - this neutralizes the precondition for this specific bug but may break applications that intentionally rely on standard-SQL string semantics, so test before deploying. Additional defense-in-depth options include restricting network access to the OTRS web frontend to trusted IP ranges or placing it behind a WAF tuned for SQLi patterns on login endpoints, accepting that WAF coverage of NO_BACKSLASH_ESCAPES-mode injections may be incomplete.
In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2
In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,
Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to
Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor
The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base
In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with
Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,
Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support
Same weakness CWE-20 – Improper Input Validation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33552
GHSA-4vhj-5qc2-97wr