CVE-2026-48191
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk4th percentile — higher than 4% of all known CVEs
Summary
Incorrect handling of permissions in STORM and OTRS (2026.x and above) modules allows gaining knowledge about the number of affected CIs, SLAs, and services without gaining access to them.
Risk Assessment
The organization may be exposed to the disclosure of sensitive information, potentially leading to privacy breaches and data security issues.
Recommendation
It is recommended to update OTRS to version 2026.4.X or newer and review permissions in STORM modules to minimize risk.
Original NVD description (English source)
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

