CVE-2026-48191

EUVD-2026-33549
An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them.

This issue affects OTRS with STORM modules: 

  *  7.0.X
  *  8.0.X
  *  2023.X
  *  2024.X
  *  2025.X
  *  2026.X before 2026.4.X
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
OTRSCNA
3.5 LOW
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 6%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
otrsotrs
8.0.0 ≤
𝑥
< 8.1.0
CNA
otrsotrs
2023.0 ≤
𝑥
< 2024.0
CNA
otrsotrs
2024.0 ≤
𝑥
< 2025.0
CNA
otrsotrs
2025.0 ≤
𝑥
< 2026.0
CNA
otrsotrs
2026.0 ≤
CNA
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://otrs.com/release-notes/otrs-security-advisory-2026-05/