Description
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend

This issue affects OTRS 2026.3.1
Published: 2026-05-31
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the "Is visible for customer" flag by default, preventing users from disabling it through the UI. This results in unintended exposure of internal ticket information to the external frontend, allowing users who forward ticket articles to disclose sensitive content that is meant to remain confidential.

Affected Systems

The vulnerability affects OTRS, a ticketing system from OTRS AG, specifically version 2026.3.1. Any deployments of this version that allow ticket article forwarding are susceptible to the disclosed data leak.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. Since the EPSS score is not available and the issue is not listed in CISA KEV, the likelihood of widespread exploitation is not well quantified, but any logged‑in user who forwards a ticket may inadvertently expose sensitive information. The attack path is straightforward: a user initiates a forward action via the web interface, the system automatically sets the visibility flag to true, and internal data becomes visible to external front‑end users.

Generated by OpenCVE AI on May 31, 2026 at 22:20 UTC.

Remediation

Vendor Solution

Update to latest version of OTRS (2026.4.1. or later).

Vendor Workaround

Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it.  Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed

OpenCVE Recommended Actions

  • Apply the official patch and upgrade OTRS to version 2026.4.1 or later to correct the default configuration.
  • If an upgrade is not immediately possible, modify System Configuration by navigating to Forms###AgentFrontend::TicketArticle::Action::Forward, set the "Is visible for customer" flag from Disabled: 1 to Disabled: 0 or remove the line, and ensure the checkbox is unchecked before forwarding.
  • After applying the patch or configuration change, review forwarded ticket articles to confirm that the visibility flag is no longer set by default, and monitor for any accidental disclosure of internal content.

Generated by OpenCVE AI on May 31, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1
Title Possible information disclosure via External Interface
Weaknesses CWE-200
CWE-269
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-05-31T21:11:25.337Z

Reserved: 2026-05-21T12:12:49.646Z

Link: CVE-2026-48210

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T22:16:55.133

Modified: 2026-05-31T22:16:55.133

Link: CVE-2026-48210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T22:30:14Z

Weaknesses