CVE-2026-48210 PUBLISHED

Possible information disclosure via External Interface

Assigner: OTRS
Reserved: 21.05.2026 Published: 31.05.2026 Updated: 01.06.2026

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend

This issue affects OTRS 2026.3.1

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CVSS Score: 5.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OTRS AG
Product	OTRS
Versions	Default: unaffected Version 2026.3.1 is affected

Workarounds

Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it.

Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed

Solutions

Update to latest version of OTRS (2026.4.1. or later).

References

https://otrs.com/release-notes/otrs-security-advisory-2026-09/

Problem Types

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor CWE
CWE-269 Improper Privilege Management CWE

Impacts

CAPEC-233 Privilege Escalation
CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels