CVE-2026-48190 OTRS AG CVE debrief

Who should care

Organizations running OTRS with CMDB and CustomerGroupSupport enabled, particularly those with external customer portals or multi-tenant environments where customer data segregation is critical.

Technical summary

CVE-2026-48190 is a LOW severity (CVSS 3.5) vulnerability in OTRS affecting versions 7.0.X through 2026.X before 2026.4.X. The flaw involves incorrect handling of permissions in the External Interface and ConfigItem List module, allowing authenticated customers to query Configuration Item (CI) information when CMDB is enabled and CustomerGroupSupport is in use. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) and requires network access, low attack complexity, authenticated privileges, and user interaction. Successful exploitation results in low confidentiality impact with no integrity or availability impact.

Defensive priority

low

Recommended defensive actions

• Verify whether CMDB and CustomerGroupSupport are enabled in your OTRS environment; if both are active, apply the relevant patch or upgrade to OTRS 2026.4.X or later.
• Review customer group permissions to ensure least-privilege access to ConfigItem data, limiting unnecessary read access to CMDB information.
• Monitor access logs for unusual or unauthorized ConfigItem list queries from customer accounts, particularly bulk or automated requests.
• If immediate patching is not feasible, consider temporarily restricting customer access to the ConfigItem List module until the update can be applied.

Evidence notes

The vulnerability requires CMDB to be enabled and CustomerGroupSupport to be used for exploitation. The CVSS v3.1 score of 3.5 (LOW) reflects the need for authenticated customer access and user interaction. The weakness is classified as CWE-276 (Incorrect Default Permissions).

Official resources