CVE-2026-48190
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. This issue occurs only when CMDB is enabled and CustomerGroupSupport is used.
Risk Assessment
The organization may be exposed to unauthorized access to sensitive configuration information, potentially leading to breaches of customer data privacy and security issues.
Recommendation
It is recommended to review and adjust permissions in the OTRS system to restrict access to CI information to authorized users only. Consider updating to the latest version of OTRS to patch this vulnerability.
Original NVD description (English source)
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

