CVE-2026-48189
Analyzed Analyzed - Analysis Complete
Improper Input Validation in OTRS Customer Backend

Publication date: 2026-06-01

Last updated on: 2026-06-15

Assigner: OTRS AG

Description
An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-15
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-48189
EUVD
EUVD-2026-33551
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
otrs otrs From 7.0.0 (inc) to 8.0.37 (inc)
otrs otrs From 2023.0.0 (inc) to 2026.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability affects OTRS systems where the CustomerGroupSupport feature is enabled and allows unauthorized access to restricted customer information.

To detect this vulnerability on your system, you should verify if your OTRS version is one of the affected versions (7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, or 2026.X before 2026.4.X) and if the CustomerGroupSupport feature is enabled.

Since the vulnerability involves improper input validation allowing unauthorized querying of customer information, you can attempt to test access controls by querying customer data from different user groups to see if unauthorized access is possible.

No specific detection commands are provided in the available resources.

Executive Summary

This vulnerability is an improper input validation issue in the OTRS Customer Backend module. It allows unauthorized access to customer information that should be restricted to certain groups. For the vulnerability to be exploitable, the feature must be enabled and the CustomerGroupSupport functionality must be in use.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive customer information to users or groups that should not have access. This could result in privacy breaches and potential misuse of customer data.

Compliance Impact

This vulnerability allows unauthorized access to customer information restricted to other groups due to improper input validation in the OTRS Customer Backend module. Exposure of sensitive information to unauthorized actors can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which mandate strict controls on access to personal and sensitive data.

Since the vulnerability involves unauthorized disclosure of sensitive customer data, affected organizations may face risks related to data privacy breaches, potentially resulting in regulatory penalties or legal consequences under standards like GDPR and HIPAA.

Mitigation requires updating to OTRS 2026.4.1 or later versions to prevent unauthorized data access and help maintain compliance with these regulations.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-48189, you should update your OTRS software to version 2026.4.1 or later.

Note that this vulnerability only affects systems where the CustomerGroupSupport feature is enabled, so you may also consider disabling this feature if it is not required.

No patches will be released for OTRS 7, so upgrading to a supported version is necessary.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart