Home

Description

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

PUBLISHED Reserved 2026-05-21 | Published 2026-06-01 | Updated 2026-06-01 | Assigner OTRS




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-276 Incorrect Default Permissions

Product status

Default status
unknown

7.0.x
affected

8.0.x
affected

2023.x
affected

2024.x
affected

2025.x
affected

2026.x (patch)
affected

References

otrs.com/release-notes/otrs-security-advisory-2026-04/

cve.org (CVE-2026-48190)

nvd.nist.gov (CVE-2026-48190)

Download JSON