Description
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS:

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.4.X
Published: 2026-06-01
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from an incorrect permission check in OTRS's External Interface ConfigItem List module. An authenticated customer can exploit this flaw to query ConfigItem objects and retrieve internal CI data. The flaw does not affect system integrity or availability, but it exposes configuration information that could assist in further attacks.

Affected Systems

Affected systems are OTRS AG’s OTRS platform versions 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and all 2026.X releases prior to 2026.4.1. The Configuration Management Database (CMDB) must be enabled, and CustomerGroupSupport features must be active for exploitation to be possible.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. Exploitation requires an authenticated customer in an environment where the CMDB is enabled and CustomerGroupSupport is used, limiting the attack surface. Consequently, the risk of exploitation is low but not zero in affected configurations.

Generated by OpenCVE AI on June 1, 2026 at 05:52 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

OpenCVE Recommended Actions

  • Update OTRS to version 2026.4.1 or later.
  • Disable CustomerGroupSupport or CMDB for untrusted customers to block unauthorized queries.
  • Restrict customer permissions so that only necessary users can access the External Interface ConfigItem List.

Generated by OpenCVE AI on June 1, 2026 at 05:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Otrs
Otrs otrs
Vendors & Products Otrs
Otrs otrs

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title Incorrect handling of permissions in External Interface Config Item List module
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Otrs Otrs
cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T13:18:37.055Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48190

cve-icon Vulnrichment

Updated: 2026-06-01T13:18:33.453Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T04:16:22.857

Modified: 2026-06-15T12:43:58.050

Link: CVE-2026-48190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:30:16Z

Weaknesses
  • CWE-276

    Incorrect Default Permissions