Description
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

This issue affects OTRS with STORM modules:

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.4.X
Published: 2026-06-01
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect handling of file system and configuration permissions in the STORM-powered Document Search Article Meta Filters module of OTRS allows an attacker to learn the number of affected configuration items, service level agreements and services. The flaw is an insecure permission setting (CWE‑276) that exposes metadata to users who should not have that level of insight, potentially aiding further reconnaissance or targeted attacks.

Affected Systems

Vendors: OTRS AG; Product: OTRS. Affected versions include OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X and all 2026.X releases prior to 2026.4.X, specifically when the STORM modules are installed.

Risk and Exploitability

The CVSS score is 3.5, indicating low‑to‑moderate impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that publicly known exploit code is scarce. The likely attack vector is through the web interface or internal user privileges, where an authenticated or partially privileged attacker could query the affected meta filters and infer sensitive management data. Exploitation does not require privilege escalation or code execution but relies on misconfigured permissions.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

OpenCVE Recommended Actions

  • Install the OTRS 2026.4.1 patch or later to resolve the incorrect permission handling.
  • Disable the STORM modules if they are not essential for business operations, thereby eliminating the vulnerable functionality.
  • Reconfigure Document Search Article Meta Filters permissions so that only authorized users can view metadata, applying the principles of least privilege as guided by CWE‑276.

Generated by OpenCVE AI on June 1, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:otrs:otrs:*:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Otrs
Otrs otrs
Vendors & Products Otrs
Otrs otrs

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title Wrong Permission Handling in Document Search Article Meta Filters
Weaknesses CWE-276
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Otrs Otrs
cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T13:18:59.494Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48191

cve-icon Vulnrichment

Updated: 2026-06-01T13:18:55.683Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T04:16:22.983

Modified: 2026-06-15T12:42:03.090

Link: CVE-2026-48191

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:30:16Z

Weaknesses
  • CWE-276

    Incorrect Default Permissions