{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48210", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T12:12:49.646Z", "datePublished": "2026-05-31T21:11:25.337Z", "dateUpdated": "2026-05-31T21:11:25.337Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["External Interface"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "2026.3.1"}]}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the \u201cIs visible for customer\u201d flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend</div><div><div><br></div><div>This issue affects OTRS 2026.3.1</div></div>"}], "value": "An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the \u201cIs visible for customer\u201d flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}, {"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-05-31T21:11:25.337Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-09/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to latest version of OTRS (2026.4.1. or later).<br>"}], "value": "Update to latest version of OTRS (2026.4.1. or later)."}], "source": {"advisory": "OSA-2026-09", "defect": ["Ticket#2026052110000321", "Issue#4853"], "discovery": "USER"}, "title": "Possible information disclosure via External Interface", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration.&nbsp;You will find that by Is visible for customer is a line Disabled: 1. Change it to&nbsp;Disabled to 0 or remove it.&nbsp;<br><br><b>Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed</b>"}], "value": "Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration.\u00a0You will find that by Is visible for customer is a line Disabled: 1. Change it to\u00a0Disabled to 0 or remove it.\u00a0\n\nCaution: Still the user has to check the checkbox on forwarding and uncheck it if needed"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the \u201cIs visible for customer\u201d flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1"}], "id": "CVE-2026-48210", "lastModified": "2026-05-31T22:16:55.133", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2026-05-31T22:16:55.133", "references": [{"source": "security@otrs.com", "url": "https://otrs.com/release-notes/otrs-security-advisory-2026-09/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-269"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}

{"created": "2026-05-31T22:30:14.003916+00:00", "updated": "2026-05-31T22:30:14.003948+00:00", "vendors": []}