CVE-2026-48210 OTRS AG CVE debrief

Who should care

OTRS administrators, helpdesk managers, and security teams running OTRS 2026.3.1 who need to prevent unintended customer exposure of internal ticket communications.

Technical summary

In OTRS 2026.3.1, the ticket article forwarding action is configured by default to set the “Is visible for customer” flag, and the UI does not allow users to disable this flag during forwarding. This improper default configuration (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor; CWE-269: Improper Privilege Management) causes internal ticket articles to become visible to customers through the External Frontend when forwarded, even when agents intend to keep them internal. The issue requires authenticated access with low privileges and user interaction, but can result in high confidentiality impact for exposed content.

Defensive priority

medium

Recommended defensive actions

• Review OTRS security advisory 2026-09 for patch availability and configuration guidance.
• Verify OTRS instance version and upgrade to a fixed release if running 2026.3.1.
• Audit ticket forwarding workflows and article visibility settings for unintended customer exposure.
• Train agents to verify visibility flags when forwarding articles until the configuration is corrected.

Evidence notes

The CVE description and OTRS security advisory identify this as an improper default configuration (CWE-200, CWE-269) in OTRS 2026.3.1. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N, scoring 5.7 (MEDIUM). The vendor attribution is based on reference domain candidate evidence (Otrs) with low confidence and requires review.

Official resources