Skip to main content

OTRS EUVDEUVD-2026-33552

| CVE-2026-48188 CRITICAL
Improper Input Validation (CWE-20)
2026-06-01 OTRS GHSA-4vhj-5qc2-97wr
9.1
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 01, 2026 - 04:21 vuln.today
CVE Published
Jun 01, 2026 - 03:33 nvd
CRITICAL 9.1

DescriptionCVE.org

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

This issue affects OTRS:

  • 7.0.X
  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X
  • (OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

AnalysisAI

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication bypass when the backing MySQL/MariaDB instance runs with the NO_BACKSLASH_ESCAPES SQL mode. The flaw carries a CVSS of 9.1 with network-reachable, no-privileges-required exploitation against confidentiality and integrity, but no public exploit identified at time of analysis and the issue is gated by a specific non-default database configuration.

Technical ContextAI

OTRS is a widely deployed open-source ticketing and helpdesk platform written in Perl; the ((OTRS)) Community Edition is its legacy community-maintained fork (the 6.0.x line). The root cause is CWE-20 Improper Input Validation in the database abstraction layer: OTRS's escaping logic assumes the standard MySQL/MariaDB behavior of treating backslash as an escape character within string literals. When the database session is started with the NO_BACKSLASH_ESCAPES SQL mode, backslashes are treated literally, so the application's quote-escaping no longer neutralizes attacker-supplied single quotes, allowing breakout of the string context and arbitrary SQL clause injection. Because the injection sits in pre-authentication code paths, an attacker can manipulate the login query to bypass authentication entirely. CPE coverage confirms cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition as the affected products.

RemediationAI

Vendor-released patch: upgrade OTRS to the 2026.4.X line per OTRS Security Advisory 2026-02 (https://otrs.com/release-notes/otrs-security-advisory-2026-02/); the 7.0.X, 8.0.X, 2023.X, 2024.X, and 2025.X branches and ((OTRS)) Community Edition 6.0.x are listed as affected without a clearly enumerated fix release in the available data, so customers on those lines should contact OTRS support or migrate to the patched 2026.4.X line. As an immediate compensating control, inspect the backing MySQL/MariaDB sql_mode (SELECT @@sql_mode) and remove NO_BACKSLASH_ESCAPES from both global and session modes - this neutralizes the precondition for this specific bug but may break applications that intentionally rely on standard-SQL string semantics, so test before deploying. Additional defense-in-depth options include restricting network access to the OTRS web frontend to trusted IP ranges or placing it behind a WAF tuned for SQLi patterns on login endpoints, accepting that WAF coverage of NO_BACKSLASH_ESCAPES-mode injections may be incomplete.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

CVE-2017-17476 HIGH
8.8 Dec 20

Open Ticket Request System (OTRS) 4.0.x before 4.0.28, 5.0.x before 5.0.26, and 6.0.x before 6.0.3, when cookie support

Share

EUVD-2026-33552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy