CVE-2026-48210
Improper Default Configuration in OTRS 2026.3.1 Exposes Ticket Data
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otrs | otrs | 2026.3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is caused by an improper default configuration in OTRS version 2026.3.1. Specifically, when forwarding ticket articles, the system enforces the “Is visible for customer” flag by default and does not allow users to disable this setting through the user interface.
As a result, internal ticket information that should remain confidential can be unintentionally exposed to external users via the External Frontend.
How can this vulnerability impact me? :
The vulnerability can lead to unintended exposure of sensitive internal ticket information to external users. This could compromise confidentiality and potentially reveal internal processes or data that should remain private.