CVE-2026-48190

EUVD-2026-33550
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.

This issue affects OTRS: 

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OTRSCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
otrsotrs
7.0.0 ≤
𝑥
< 7.1.0
CNA
otrsotrs
8.0.0 ≤
𝑥
< 8.1.0
CNA
otrsotrs
2023.0 ≤
𝑥
< 2024.0
CNA
otrsotrs
2024.0 ≤
𝑥
< 2025.0
CNA
otrsotrs
2025.0 ≤
𝑥
< 2026.0
CNA
otrsotrs
2026.0 ≤
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://otrs.com/release-notes/otrs-security-advisory-2026-04/