{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48188", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T07:53:13.254Z", "datePublished": "2026-06-01T03:33:15.822Z", "dateUpdated": "2026-06-01T03:33:15.822Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Database Layer"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"lessThanOrEqual": "2026.3.x", "status": "affected", "version": "2026.x", "versionType": "patch"}]}, {"defaultStatus": "affected", "product": "((OTRS)) Community Edition", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "6.x"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Special thanks to Daniel Triznafor reporting this vulnerability"}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition&nbsp;database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if&nbsp;the MySQL/MariaDB server is configured with the <code>NO_BACKSLASH_ESCAPES</code> SQL mode.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li><li>(OTRS)) Community Edition: 6.0.x<br></li></ul><div>Products based on the ((OTRS)) Community Edition also very likely to be affected</div><p></p>"}], "value": "An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition\u00a0database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if\u00a0the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X\n * (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115 Authentication Bypass"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:33:15.822Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-02/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2026-02", "defect": ["Ticket#2026052110000134", "Issue#4824", "Issue#4859"], "discovery": "EXTERNAL"}, "title": "SQL Injection via MySQL Quote Method", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Reconfigure&nbsp;MySQL/MariaDB servernot to use&nbsp;<code>NO_BACKSLASH_ESCAPES</code> SQL"}], "value": "Reconfigure\u00a0MySQL/MariaDB servernot to use\u00a0NO_BACKSLASH_ESCAPES SQL"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition\u00a0database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if\u00a0the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X\n * (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}], "id": "CVE-2026-48188", "lastModified": "2026-06-01T04:16:22.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2026-06-01T04:16:22.583", "references": [{"source": "security@otrs.com", "url": "https://otrs.com/release-notes/otrs-security-advisory-2026-02/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}

{}