CVE-2026-48210
Analyzed Analyzed - Analysis Complete
Improper Default Configuration in OTRS 2026.3.1 Exposes Ticket Data

Publication date: 2026-05-31

Last updated on: 2026-06-15

Assigner: OTRS AG

Description
An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-06-15
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-19
NVD
CVE-2026-48210
EUVD
EUVD-2026-33518
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
otrs otrs 2026.3.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is caused by an improper default configuration in OTRS version 2026.3.1. Specifically, when forwarding ticket articles, the system enforces the “Is visible for customer” flag by default and does not allow users to disable this setting through the user interface.

As a result, internal ticket information that should remain confidential can be unintentionally exposed to external users via the External Frontend.

Impact Analysis

The vulnerability can lead to unintended exposure of sensitive internal ticket information to external users. This could compromise confidentiality and potentially reveal internal processes or data that should remain private.

Compliance Impact

The vulnerability causes unintended exposure of internal ticket information to external users due to improper default configuration in OTRS 2026.3.1. This exposure of potentially sensitive internal data could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, the provided information does not explicitly mention compliance impacts or specific regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart