PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48189 OTRS AG CVE debrief

An improper input validation vulnerability in the OTRS Customer Backend module allows authenticated users to access customer information restricted to other groups. The vulnerability requires that the affected feature be enabled and that CustomerGroupSupport is in use. The issue affects multiple OTRS versions including 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and 2026.X before 2026.4.X. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, user interaction required, unchanged scope, high confidentiality impact, with no integrity or availability impact. The weakness is classified as CWE-200 (Information Exposure).

Vendor
OTRS AG
Product
OTRS
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running OTRS with CustomerGroupSupport enabled, particularly those with multi-tenant or strictly segregated customer data requirements

Technical summary

The vulnerability stems from improper input validation in the OTRS Customer Backend module. When CustomerGroupSupport is enabled, the application fails to properly validate requests, allowing authenticated users with low privileges to access customer records assigned to groups other than their own. The attack requires user interaction and yields high confidentiality impact without affecting integrity or availability. Affected versions span from 7.0.X through 2026.X prior to 2026.4.X.

Defensive priority

medium

Recommended defensive actions

  • Verify whether CustomerGroupSupport is enabled in your OTRS deployment
  • Apply OTRS updates to version 2026.4.X or later when available
  • Review customer information access logs for anomalous cross-group queries
  • Restrict unnecessary access to the Customer Backend module pending patching
  • Monitor OTRS security advisory for additional remediation guidance

Evidence notes

CVE published and modified 2026-06-01. OTRS security advisory referenced as primary source. Vendor attribution based on reference domain candidate 'Otrs' with low confidence; marked for review.

Official resources

2026-06-01