PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48191 OTRS AG CVE debrief

An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

Vendor
OTRS AG
Product
OTRS
CVSS
LOW 3.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-01
Original CVE updated
2026-06-01
Advisory published
2026-06-01
Advisory updated
2026-06-01

Who should care

Organizations running OTRS with STORM modules who rely on Document Search functionality and need to prevent metadata enumeration by lower-privileged users.

Technical summary

This vulnerability exists in the Document Search Article Meta Filters modules within OTRS installations that include STORM functionality, as well as OTRS 2026.x and above. The permission handling flaw allows an authenticated attacker with low privileges to enumerate the existence and quantity of Configuration Items (CIs), Service Level Agreements (SLAs), and services without being granted direct access to view their contents. The issue is rated LOW severity with a CVSS 3.1 score of 3.5, reflecting limited confidentiality impact requiring user interaction. The root cause is categorized under CWE-276 (Incorrect Default Permissions). Affected versions include OTRS with STORM modules from 7.0.X through 2025.X, and 2026.X prior to 2026.4.X.

Defensive priority

LOW

Recommended defensive actions

  • Review OTRS security advisory 2026-05 for patch availability and version guidance
  • Upgrade affected OTRS with STORM installations to version 2026.4.X or later when available
  • Audit Document Search Article Meta Filters module permissions for unauthorized information disclosure
  • Verify user access controls limit enumeration of configuration items, SLAs, and service metadata
  • Monitor access logs for unusual query patterns against Document Search functionality

Evidence notes

The CVE description identifies affected versions spanning 7.0.X through 2026.X before 2026.4.X for OTRS with STORM modules. The CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) supports the LOW severity rating of 3.5, indicating network attack vector with low attack complexity, requiring low privileges and user interaction, with limited confidentiality impact. The weakness is classified as CWE-276 (Incorrect Default Permissions). The vendor attribution to OTRS is derived from reference domain candidate evidence and the security advisory reference from [email protected]; vendor confidence is marked low with needsReview flag set.

Official resources

2026-06-01