PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48187 OTRS AG CVE debrief

An uncontrolled resource allocation vulnerability in OTRS email handling allows excessive resource consumption that may lead to webserver abortion. The vulnerability stems from missing limits or throttling mechanisms during email processing. Affected versions include OTRS 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The vendor advisory also indicates that ((OTRS)) Community Edition 6.x, OTRS 7.x, and products derived from the ((OTRS)) Community Edition are very likely affected. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H) indicates a network-attackable, low-complexity issue requiring low privileges and user interaction, with high availability impact. CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling) are identified as relevant weakness classifications. The vulnerability was published on June 1, 2026, with vendor advisory reference available.

Vendor
OTRS AG
Product
OTRS
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running OTRS instances with email integration, particularly those processing high volumes of inbound email or operating multi-tenant environments where resource isolation between tenants may be incomplete.

Technical summary

The vulnerability exists in OTRS email handling functionality where resource allocation occurs without proper limits or throttling. An attacker with low privileges and user interaction conditions can trigger excessive resource allocation during email processing, potentially causing the webserver process to abort. The attack vector is network-based with low attack complexity. No confidentiality or integrity impact is indicated; the primary impact is to availability.

Defensive priority

medium

Recommended defensive actions

  • Apply vendor patches when available for supported OTRS versions (2026.4.X or later).
  • For unsupported or Community Edition deployments, implement resource limits at the webserver or container level to constrain email processing resource consumption.
  • Monitor email queue processing for abnormal memory or CPU utilization patterns that may indicate resource exhaustion attempts.
  • Consider rate limiting or size restrictions on inbound email processing if not already configured.
  • Review and update incident response procedures to address potential availability impacts from resource exhaustion in email handling components.

Evidence notes

CVE description identifies affected version ranges and notes likely impact on Community Edition derivatives. CVSS vector and CWE classifications sourced from NVD record. Vendor security advisory published 2026-06-01.

Official resources

public