CVE-2026-48188

SQL Injection via MySQL Quote Method

Assigner: OTRS
Reserved: 21.05.2026 Published: 01.06.2026 Updated: 01.06.2026

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

This issue affects OTRS:

7.0.X
8.0.X
2023.X
2024.X
2025.X
2026.X before 2026.4.X
(OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score: 9.1

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OTRS AG
Product	OTRS
Versions	Default: affected Version 7.0.x is affected Version 8.0.x is affected Version 2023.x is affected Version 2024.x is affected Version 2025.x is affected affected from 2026.x to 2026.3.x (incl.)

Vendor

OTRS AG

Product

OTRS

Versions

Default: affected

Version 7.0.x is affected
Version 8.0.x is affected
Version 2023.x is affected
Version 2024.x is affected
Version 2025.x is affected
affected from 2026.x to 2026.3.x (incl.)

Vendor	OTRS AG
Product	((OTRS)) Community Edition
Versions	Default: affected Version 6.x is affected

Vendor

OTRS AG

Product

((OTRS)) Community Edition

Versions

Default: affected

Version 6.x is affected

Workarounds

Reconfigure MySQL/MariaDB servernot to use NO_BACKSLASH_ESCAPES SQL

Solutions

Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches

Credits

Special thanks to Daniel Triznafor reporting this vulnerability reporter

References

Problem Types

CWE-20 Improper Input Validation CWE

Impacts

CAPEC-115 Authentication Bypass

CVE-2026-48188 PUBLISHED