Description
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

This issue affects OTRS with STORM modules:

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.4.X
Published: 2026-06-01
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect handling of file system and configuration permissions in the STORM-powered Document Search Article Meta Filters module of OTRS allows an attacker to learn the number of affected configuration items, service level agreements and services. The flaw is an insecure permission setting (CWE‑276) that exposes metadata to users who should not have that level of insight, potentially aiding further reconnaissance or targeted attacks.

Affected Systems

Vendors: OTRS AG; Product: OTRS. Affected versions include OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X and all 2026.X releases prior to 2026.4.X, specifically when the STORM modules are installed.

Risk and Exploitability

The CVSS score is 3.5, indicating low‑to‑moderate impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that publicly known exploit code is scarce. The likely attack vector is through the web interface or internal user privileges, where an authenticated or partially privileged attacker could query the affected meta filters and infer sensitive management data. Exploitation does not require privilege escalation or code execution but relies on misconfigured permissions.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

OpenCVE Recommended Actions

  • Install the OTRS 2026.4.1 patch or later to resolve the incorrect permission handling.
  • Disable the STORM modules if they are not essential for business operations, thereby eliminating the vulnerable functionality.
  • Reconfigure Document Search Article Meta Filters permissions so that only authorized users can view metadata, applying the principles of least privilege as guided by CWE‑276.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title Wrong Permission Handling in Document Search Article Meta Filters
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T03:32:47.624Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48191

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-01T04:16:22.983

Modified: 2026-06-01T04:16:22.983

Link: CVE-2026-48191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T05:30:20Z

Weaknesses