Skip to main content

OTRS EUVDEUVD-2026-33553

| CVE-2026-48187 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-01 OTRS GHSA-v95g-89m8-9p9r
5.7
CVSS 3.1 · Vendor: OTRS
Share

Severity by source

Vendor (OTRS) PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Primary rating from Vendor (OTRS) · only source for this CVE.

CVSS VectorVendor: OTRS

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 04:23 vuln.today

DescriptionCVE.org

An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS:

  • 8.0.X
  • 2023.X
  • 2024.X
  • 2025.X
  • 2026.X before 2026.4.X

Please note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected

AnalysisAI

Uncontrolled resource allocation in OTRS's e-mail handling subsystem allows a low-privileged authenticated user to trigger unbounded memory or resource consumption, ultimately aborting the webserver and causing a denial of service against the entire OTRS interface. Affected versions span OTRS 8.0.X through 2026.X prior to 2026.4.X, and the ((OTRS)) Community Edition 6.x and OTRS 7.x branches are noted by the vendor as very likely affected as well. No public exploit has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

OTRS is an enterprise IT service management and ticketing platform (CPE: cpe:2.3:a:otrs_ag:otrs and cpe:2.3:a:otrs_ag:((otrs))_community_edition). The vulnerability is rooted in CWE-400 (Uncontrolled Resource Consumption): the e-mail ingestion and processing pipeline lacks allocation caps or rate-limiting controls, so processing a specially crafted inbound message can cause the application to allocate resources without bound. This exhaustion propagates upward to the hosting webserver process, which aborts under memory or resource pressure. The scope is unchanged (S:U in CVSS), meaning the impact is confined to the OTRS application tier rather than escaping to the underlying OS, but a webserver abort renders the entire OTRS web interface unavailable to all users.

RemediationAI

The vendor-confirmed fix is upgrade to OTRS 2026.4.X or later, which resolves the uncontrolled resource allocation in e-mail handling; see OTRS Security Advisory 2026-06 at https://otrs.com/release-notes/otrs-security-advisory-2026-06/. For OTRS branches 8.0.X, 2023.X, 2024.X, and 2025.X, no patched release is confirmed from available data - organizations on these branches should contact OTRS AG directly for guidance or an upgrade path. For ((OTRS)) Community Edition 6.x and OTRS 7.x, which are noted as very likely affected but for which no vendor patch path exists, specific compensating controls include: applying inbound e-mail size caps and rate limits at the MTA layer (e.g., Postfix smtpd_message_size_limit and smtpd_client_message_rate_limit) to reduce the volume and size of messages reaching OTRS's processor; restricting OTRS web interface access to internal networks or VPN to raise the authentication barrier; and auditing which accounts hold agent or customer portal credentials to minimize the pool of potential low-privileged attackers. Note that MTA-level rate limiting reduces attack surface but does not eliminate the underlying vulnerability if a sufficiently crafted single message can trigger the condition.

More in Otrs

View all
CVE-2017-16921 HIGH POC
8.8 Dec 08

In OTRS 6.0.x up to and including 6.0.1, OTRS 5.0.x up to and including 5.0.24, and OTRS 4.0.x up to and including 4.0.2

CVE-2018-7567 HIGH POC
7.2 Mar 04

In the Admin Package Manager in Open Ticket Request System (OTRS) 5.0.0 through 5.0.24 and 6.0.0 through 6.0.1, authenti

CVE-2014-1694 MEDIUM POC
6.8 Feb 04

Multiple cross-site request forgery (CSRF) vulnerabilities in (1) CustomerPreferences.pm, (2) CustomerTicketMessage.pm,

CVE-2017-9299 MEDIUM POC
6.1 May 29

Open Ticket Request System (OTRS) 3.3.9 has XSS in index.pl?Action=AgentStats requests, as demonstrated by OrderBy=[XSS]

CVE-2024-23790 CRITICAL
9.8 Jan 29

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to

CVE-2022-4427 CRITICAL
9.8 Dec 19

Improper Input Validation vulnerability in OTRS AG OTRS, OTRS AG ((OTRS)) Community Edition allows SQL Injection via Tic

CVE-2012-4751 MEDIUM POC
4.3 Oct 22

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.15, 3.0.x befor

CVE-2026-48188 CRITICAL
9.1 Jun 01

Unauthenticated SQL injection in OTRS and the legacy ((OTRS)) Community Edition database layer enables authentication by

CVE-2023-5422 CRITICAL
9.1 Oct 16

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS base

CVE-2017-9324 HIGH
8.8 Jun 12

In Open Ticket Request System (OTRS) 3.3.x through 3.3.16, 4.x through 4.0.23, and 5.x through 5.0.19, an attacker with

CVE-2017-16664 HIGH
8.8 Nov 21

Code injection exists in Kernel/System/Spelling.pm in Open Ticket Request System (OTRS) 5 before 5.0.24, 4 before 4.0.26

CVE-2014-1695 MEDIUM POC
4.3 Mar 01

Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) 3.1.x before 3.1.20, 3.2.x before 3.2.15,

Share

EUVD-2026-33553 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy