Description
A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS: 

* 7.0.X
* 8.0.X
* 2023.X
* 2024.X
* 2025.X
* 2026.X before 2026.3.X
Published: 2026-04-20
Score: 4.5 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service (resource exhaustion causing server downtime)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability lies in the SQL Box component of the OTRS administration interface and results in uncontrolled resource consumption. When an attacker submits queries that trigger excessive CPU or memory usage, the process may be terminated, causing a denial of service for the webserver. This vulnerability does not allow direct data exfiltration or integrity compromise; its primary impact is on availability, as indicated by the CWE list.

Affected Systems

The affected product is OTRS by OTRS AG. Versions 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and all 2026.x releases prior to 2026.3.x are vulnerable.

Risk and Exploitability

The CVSS score of 4.5 indicates moderate severity; no EPSS data is available and the vulnerability is not listed in CISA KEV. The likely attack vector involves the web-based administration interface, where a user with sufficient privileges can trigger resource-heavy queries. Successful exploitation disrupts availability but does not directly compromise confidentiality or integrity.

Generated by OpenCVE AI on April 21, 2026 at 00:02 UTC.

Remediation

Vendor Solution

Update to OTRS 2026.3.1. or later. Please note that there will be no OTRS 7 patches

Vendor Workaround

Remove SQL Box from Admin Interface via System Configuration

OpenCVE Recommended Actions

  • Update the OTRS installation to version 2026.3.1 or later, which removes the vulnerable SQL Box behavior.
  • If an immediate upgrade is not possible, delete or disable the SQL Box feature by modifying the system configuration in the admin interface.
  • Restrict access to the administration console to trusted personnel or secure network segments to reduce the risk of abuse.

Generated by OpenCVE AI on April 21, 2026 at 00:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:  * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X
Title Possible DoS via SQL Box
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 4.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: OTRS

Published:

Updated: 2026-04-20T18:48:48.185Z

Reserved: 2026-04-10T08:43:26.385Z

Link: CVE-2026-6060

cve-icon Vulnrichment

Updated: 2026-04-20T18:48:38.481Z

cve-icon NVD

Status : Received

Published: 2026-04-20T19:16:11.043

Modified: 2026-04-20T19:16:11.043

Link: CVE-2026-6060

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses