CVE-2026-48188

EUVD-2026-33552

01.06.2026, 04:16

An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.

This issue affects OTRS: 

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X
  *  (OTRS)) Community Edition: 6.0.x

Products based on the ((OTRS)) Community Edition also very likely to be affected

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
OTRS	CNA	9.1 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
otrs	otrs	7.0.0 ≤ 𝑥 < 7.1.0	CNA
otrs	otrs	8.0.0 ≤ 𝑥 < 8.1.0	CNA
otrs	otrs	2023.0 ≤ 𝑥 < 2024.0	CNA
otrs	otrs	2024.0 ≤ 𝑥 < 2025.0	CNA
otrs	otrs	2025.0 ≤ 𝑥 < 2026.0	CNA
otrs	otrs	2026.0 ≤	CNA
otrs	otrs	6.0 ≤ 𝑥 < 7.0	CNA

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Vulnerability Media Exposure

[GERMAN] OTRS: Mehrere Schwachstellen
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in OTRS ausnutzen, um einen Denial of Service zu verursachen, um eine SQL Injection durchzuführen, um Informationen offenzulegen und um einen XSS Angriff durchzuführen.
Published: 2026-05-31T22:00:00+00:00

References

https://otrs.com/release-notes/otrs-security-advisory-2026-02/