Description
An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS:

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.4.X
Published: 2026-06-01
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper input validation flaw in the OTRS Customer Backend module that allows an attacker to read customer information that should be restricted to other groups. Because the flaw only manifests when the CustomerGroupSupport feature is enabled, users must enable this option for the risk to materialize. The primary impact is the unauthorized disclosure of customer data, which can lead to privacy violations and potential downstream exploitation of personal information. The weakness is classified as CWE‑200, a confidentiality breach.

Affected Systems

The issue exists in OTRS AG’s OTRS platform for the following releases: 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and all 2026.x versions prior to 2026.4.x. Anyone running these versions with CustomerGroupSupport enabled is vulnerable.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread, confirmed exploitation at this time. Based on the description, the likely attack vector is through standard web requests to the Customer Backend module; an attacker would need to craft a request that takes advantage of the unchecked input validation. No additional authentication requirements are specified, so the exploit may be performed by an authenticated or unauthenticated user depending on configuration, but it still requires the CustomerGroupSupport feature to be active.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

OpenCVE Recommended Actions

  • Apply the vendor patch OTRS 2026.4.1 or later.
  • If an immediate update is not possible, disable the CustomerGroupSupport feature to block the exploitation path until a patch is applied.
  • Continuously review application logs for anomalous access patterns to customer data and confirm that group restrictions are enforced.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title Bypass DedicatedAgentToCustomerGroups Setting
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T03:33:03.373Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48189

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T04:16:22.723

Modified: 2026-06-01T04:16:22.723

Link: CVE-2026-48189

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T05:30:20Z

Weaknesses