Description
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend

This issue affects OTRS 2026.3.1
Published: 2026-05-31
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the "Is visible for customer" flag by default, preventing users from disabling it through the UI. This results in unintended exposure of internal ticket information to the external frontend, allowing users who forward ticket articles to disclose sensitive content that is meant to remain confidential.

Affected Systems

The vulnerability affects OTRS, a ticketing system from OTRS AG, specifically version 2026.3.1. Any deployments of this version that allow ticket article forwarding are susceptible to the disclosed data leak.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. Since the EPSS score is not available and the issue is not listed in CISA KEV, the likelihood of widespread exploitation is not well quantified, but any logged‑in user who forwards a ticket may inadvertently expose sensitive information. The attack path is straightforward: a user initiates a forward action via the web interface, the system automatically sets the visibility flag to true, and internal data becomes visible to external front‑end users.

Generated by OpenCVE AI on May 31, 2026 at 22:20 UTC.

Remediation

Vendor Solution

Update to latest version of OTRS (2026.4.1. or later).

Vendor Workaround

Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it.  Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed

OpenCVE Recommended Actions

  • Apply the official patch and upgrade OTRS to version 2026.4.1 or later to correct the default configuration.
  • If an upgrade is not immediately possible, modify System Configuration by navigating to Forms###AgentFrontend::TicketArticle::Action::Forward, set the "Is visible for customer" flag from Disabled: 1 to Disabled: 0 or remove the line, and ensure the checkbox is unchecked before forwarding.
  • After applying the patch or configuration change, review forwarded ticket articles to confirm that the visibility flag is no longer set by default, and monitor for any accidental disclosure of internal content.

Generated by OpenCVE AI on May 31, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:otrs:otrs:2026.3.1:*:*:*:*:*:*:*

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Otrs
Otrs otrs
Vendors & Products Otrs
Otrs otrs

Mon, 01 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 31 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1
Title Possible information disclosure via External Interface
Weaknesses CWE-200
CWE-269
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Otrs Otrs
cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-06-01T13:24:39.472Z

Reserved: 2026-05-21T12:12:49.646Z

Link: CVE-2026-48210

cve-icon Vulnrichment

Updated: 2026-06-01T13:24:35.707Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-31T22:16:55.133

Modified: 2026-06-15T12:47:16.943

Link: CVE-2026-48210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:30:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-269

    Improper Privilege Management