CVE-2026-48210 - Vulnerability Details - OpenCVE

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

No data.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2026-09/

History

Sun, 31 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1
Title		Possible information disclosure via External Interface
Weaknesses		CWE-200 CWE-269
References		https://otrs.com/release-notes/otrs-security-advisory-2026-09/
Metrics		cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2026-05-31T21:11:25.337Z

Updated: 2026-05-31T21:11:25.337Z

Reserved: 2026-05-21T12:12:49.646Z

Link: CVE-2026-48210

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48210", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T12:12:49.646Z", "datePublished": "2026-05-31T21:11:25.337Z", "dateUpdated": "2026-05-31T21:11:25.337Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["External Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "2026.3.1"}]}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the \u201cIs visible for customer\u201d flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend</div><div><div><br></div><div>This issue affects OTRS 2026.3.1</div></div>"}], "value": "An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the \u201cIs visible for customer\u201d flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}, {"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-05-31T21:11:25.337Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-09/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to latest version of OTRS (2026.4.1. or later).<br>"}], "value": "Update to latest version of OTRS (2026.4.1. or later)."}], "source": {"advisory": "OSA-2026-09", "defect": ["Ticket#2026052110000321", "Issue#4853"], "discovery": "USER"}, "title": "Possible information disclosure via External Interface", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it. <br><br><b>Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed</b>"}], "value": "Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration.\u00a0You will find that by Is visible for customer is a line Disabled: 1. Change it to\u00a0Disabled to 0 or remove it.\u00a0\n\nCaution: Still the user has to check the checkbox on forwarding and uncheck it if needed"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}