CVE-2026-6060
Received Received - Intake
Uncontrolled Resource Consumption in OTRS SQL Box Causes DoS

Publication date: 2026-04-20

Last updated on: 2026-04-20

Assigner: OTRS AG

Description
A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:Β  * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.3.X
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6060
EUVD
EUVD-2026-23933
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
otrs otrs 7.0
otrs otrs 8.0
otrs otrs 2023.*
otrs otrs 2024.*
otrs otrs 2025.*
otrs otrs to 2026.3 (exc)
otrs otrs From 2023.0 (inc) to 2026.0 (inc)
otrs otrs From 2024.0 (inc) to 2026.0 (inc)
otrs otrs From 2025.0 (inc) to 2026.0 (inc)
otrs otrs From 2026.0 (inc) to 2026.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-6060 is a vulnerability in the SQL Box component of the admin interface in OTRS versions 7.0.X, 8.0.X, and all 2023.X through 2026.X releases prior to 2026.3.X.

The issue is classified as uncontrolled resource consumption, meaning that attackers can exploit the lack of limits or throttling on resource allocation within the SQL Box feature.

This exploitation can lead to excessive resource usage, causing a denial of service (DoS) against the webserver by exhausting system resources.

Impact Analysis

The primary impact of this vulnerability is a denial of service (DoS) condition against the OTRS webserver.

Attackers can cause resource exhaustion by flooding or excessive allocation of resources through the SQL Box feature, which can disrupt normal operations and availability of the service.

This can lead to downtime or degraded performance, affecting users' ability to access or use the OTRS system.

Detection Guidance

This vulnerability involves uncontrolled resource consumption in the SQL Box component of OTRS, which can lead to denial of service by exhausting system resources.

Detection would involve monitoring for unusual resource usage patterns on the webserver hosting OTRS, such as spikes in CPU or memory consumption related to SQL Box activity.

Specific commands are not provided in the available resources, but general approaches include using system monitoring tools like 'top', 'htop', or 'ps' to observe processes consuming excessive resources.

  • Use 'top' or 'htop' to monitor CPU and memory usage in real time.
  • Use 'ps aux --sort=-%mem' or 'ps aux --sort=-%cpu' to identify processes with high resource consumption.
  • Check webserver logs for repeated or abnormal SQL Box requests that might indicate exploitation attempts.
Mitigation Strategies

The recommended immediate mitigation is to update OTRS to version 2026.3.1 or later, where the vulnerability is fixed.

If updating is not immediately possible, administrators can remove or disable the SQL Box feature from the Admin Interface via System Configuration to prevent exploitation.

Note that no patches will be provided for OTRS version 7, so upgrading or disabling the feature is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart