CVE-2026-48210
MediumCVSS 5.7Exploitation Probability (EPSS)
Low risk16th percentile - higher than 16% of all known CVEs
Summary
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend.
Risk Assessment
The organization may be exposed to the disclosure of sensitive ticket information to customers, potentially leading to privacy breaches and data security issues.
Recommendation
It is recommended to review and adjust the OTRS configuration to allow users to disable the “Is visible for customer” flag and to update the system to the latest version to minimize risk.
Original NVD description (English source)
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1

