CVE-2026-48191
Information Disclosure in OTRS STORM Document Search
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: OTRS AG
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| otrs | otrs | 7.0 |
| otrs | otrs | 8.0 |
| otrs | otrs | 2023 |
| otrs | otrs | 2024 |
| otrs | otrs | 2025 |
| otrs | otrs | to 2026.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is caused by incorrect handling of permissions in the STORM powered by OTRS and in OTRS Document Search Article Meta Filters modules. It allows an attacker to gain knowledge about the number of affected Configuration Items (CIs), Service Level Agreements (SLA), and services without having proper access to them.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with limited privileges can obtain information about the number of affected CIs, SLAs, and services. Although the attacker does not gain direct access to these resources, the leakage of this information could potentially be used to infer sensitive operational details or assist in further attacks.