CVE-2026-48190 - Vulnerability Details - OpenCVE

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2026-04/

History

Mon, 01 Jun 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title		Incorrect handling of permissions in External Interface Config Item List module
Weaknesses		CWE-276
References		https://otrs.com/release-notes/otrs-security-advisory-2026-04/
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2026-06-01T03:32:53.621Z

Updated: 2026-06-01T03:32:53.621Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48190

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T04:16:22.857

Modified: 2026-06-01T04:16:22.857

Link: CVE-2026-48190

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48190", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T07:53:13.254Z", "datePublished": "2026-06-01T03:32:53.621Z", "dateUpdated": "2026-06-01T03:32:53.621Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["External Interface", "ConfigItem List"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"lessThanOrEqual": "2026.3.x", "status": "affected", "version": "2026.x", "versionType": "patch"}]}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and <code>CustomerGroupSupport</code> has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><p></p>"}], "value": "An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:32:53.621Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-04/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2026-04", "defect": ["Ticket#2026052110000171", "Issue#3939"], "discovery": "USER"}, "title": "Incorrect handling of permissions in External Interface Config Item List module", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}