Home

Description

An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

PUBLISHED Reserved 2026-05-21 | Published 2026-06-01 | Updated 2026-06-01 | Assigner OTRS




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Problem types

CWE-276 Incorrect Default Permissions

Product status

Default status
unknown

7.0.x
unknown

8.0.x
affected

2023.x
affected

2024.x
affected

2025.x
affected

2026.x (patch)
affected

References

otrs.com/release-notes/otrs-security-advisory-2026-05/

cve.org (CVE-2026-48191)

nvd.nist.gov (CVE-2026-48191)

Download JSON