Description
An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

This issue affects OTRS:

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.4.X
* (OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected
Published: 2026-06-01
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper input validation flaw in the database layer module of OTRS or its Community Edition allows an attacker to inject arbitrary SQL without needing authentication. The vulnerability is rooted in CWE‑20 and, when exploited, can bypass the authentication mechanism of the application, granting an attacker unauthorized access and the ability to manipulate data or execute further commands.

Affected Systems

The flaw affects multiple OTRS releases, specifically 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and all 2026.X builds prior to 2026.4.X, as well as the Community Edition version 6.0.x. Products derived from the Community Edition are also highly likely to be impacted. The vulnerability is only present when the underlying MySQL or MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

Risk and Exploitability

The CVSS score of 9.1 indicates a High severity level. No EPSS score is currently available, so the probability of exploitation cannot be quantified. The vulnerability is not listed in the CISA KEV catalog, yet the path to exploitation is straightforward: an unauthenticated user can send a crafted request that is processed by the database layer, resulting in arbitrary SQL execution and authentication bypass. Provided the database runs with NO_BACKSLASH_ESCAPES, attackers can exploit the flaw remotely via the web interface.

Generated by OpenCVE AI on June 1, 2026 at 05:51 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

Vendor Workaround

Reconfigure MySQL/MariaDB servernot to use NO_BACKSLASH_ESCAPES SQL

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading to OTRS 2026.4.1 or later; note that no patch exists for OTRS 7, so a major version upgrade is necessary for 7.0.X systems.
  • Reconfigure the MySQL or MariaDB server to disable the NO_BACKSLASH_ESCAPES SQL mode, eliminating the database configuration that enables the injection path.
  • Implement logging and monitoring to detect and alert on suspicious SQL queries or authentication bypass attempts.

Generated by OpenCVE AI on June 1, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X * (OTRS)) Community Edition: 6.0.x Products based on the ((OTRS)) Community Edition also very likely to be affected
Title SQL Injection via MySQL Quote Method
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T03:33:15.822Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48188

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T04:16:22.583

Modified: 2026-06-01T04:16:22.583

Link: CVE-2026-48188

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T06:00:10Z

Weaknesses