3.5

CVE-2026-48190

Incorrect handling of permissions in External Interface Config Item List module

An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS: 

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
OtrsOtrs Version >= 7.0.0 <= 8.0.37
OtrsOtrs Version >= 2023.0.0 < 2026.4.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.14% 0.039
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@otrs.com 3.5 2.1 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://otrs.com/release-notes/otrs-security-advisory-2026-04/
Vendor Advisory