CVE-2026-48191

EUVD-2026-33549
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

This issue affects OTRS with STORM modules: 

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Affected Products (NVD)
VendorProductVersion
otrsotrs
7.0.0 ≤
𝑥
≤ 8.0.37
otrsotrs
2023.0.0 ≤
𝑥
< 2026.4.1
𝑥
= Vulnerable software versions