CVE-2026-48190: OTRS Permission Bypass – CMDB CI Data Disclosure
OTRS has a permission-handling flaw in its External Interface and ConfigItem List module that allows authenticated customers to access Configuration Item (CI) information they shouldn't be able to see. The vulnerability only manifests when both CMDB is enabled and CustomerGroupSupport is configured, meaning organizations using default or simpler OTRS setups may not be affected. An attacker would need valid customer credentials and user interaction to exploit this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-276
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-48190 stems from improper access control in OTRS's External Interface combined with the ConfigItem List module. The vulnerability enables an authenticated customer-tier user to enumerate or retrieve CI data from the CMDB in violation of intended permission boundaries. The flaw is rooted in CWE-276 (Incorrect Default Permissions), indicating the module fails to enforce group-based access restrictions properly when CustomerGroupSupport is active. Exploitation requires valid authentication credentials and user interaction; no network-only attack vector exists.
Business impact
For OTRS deployments using CMDB and CustomerGroupSupport, this vulnerability risks information disclosure of IT asset and configuration data. Customers could learn details about your infrastructure, software versions, hardware inventory, or related business systems—potentially aiding further reconnaissance or social engineering attacks. The impact is typically bounded by what CI data you expose and the sensitivity of your asset inventory, but in environments where CI data contains sensitive details (licensing, vendor info, internal system names), this poses a moderate information security concern.
Affected systems
OTRS versions 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and 2026.x before 2026.4.x are vulnerable. The vulnerability is conditional: it only manifests in deployments where both the CMDB module is enabled and CustomerGroupSupport is configured. Organizations running OTRS without these specific features enabled are not affected. Verify your OTRS version and configuration to determine exposure.
Exploitability
Exploitation is classified as LOW severity (CVSS 3.5) because it requires multiple preconditions: valid customer authentication, CMDB enablement, CustomerGroupSupport activation, and user interaction. An attacker cannot exploit this remotely without credentials. The access is limited to CI information and does not permit modification or system disruption. Practical attack scenarios typically involve a malicious or compromised customer account performing reconnaissance of your IT asset inventory.
Remediation
Upgrade OTRS to version 2026.4.x or later. If you cannot upgrade immediately, review and restrict CustomerGroupSupport configuration to minimize the data accessible to customer accounts, or disable the CMDB module if it is not operationally necessary. Audit customer account access logs to identify any unauthorized CI queries.
Patch guidance
Apply OTRS 2026.4.x or a later patched version as provided by the OTRS vendor. Verify the vendor security advisory for any additional configuration changes recommended alongside the patch. Test the patch in a non-production environment first to ensure compatibility with your existing OTRS customizations and integrations. If you are on version 2026.x before 2026.4.x, prioritize this update; versions 2023.x through 2025.x will likely receive a corresponding backport—check vendor advisories for availability.
Detection guidance
Monitor OTRS External Interface logs for customer-initiated ConfigItem List queries, particularly those attempting to retrieve CI data outside their assigned group scope. Use OTRS access logs to identify patterns of CI enumeration or queries for sensitive asset information. Review customer account activity around the publication date (June 2026) to establish a baseline for normal CI access and flag anomalies. Consider enabling detailed audit logging for CMDB queries if your deployment permits.
Why prioritize this
Although the CVSS score is LOW (3.5), prioritize patching in environments where CMDB contains sensitive asset or infrastructure data. Organizations using CustomerGroupSupport for multi-tenant or multi-customer segregation should treat this as medium priority because customer isolation is a core security control. The conditional nature (CMDB + CustomerGroupSupport required) means this is not a universal threat, but organizations meeting both conditions should patch in a routine maintenance cycle.
Risk score, explained
The CVSS 3.1 score of 3.5 reflects low attack complexity, requirement for prior authentication, lack of user interaction impact (though exploitation itself requires UI interaction), and confidentiality impact limited to CI data. The score does not increase due to absence of integrity or availability impact. In a multi-tenant OTRS environment where customer isolation is critical, your internal risk tolerance may warrant treating this as higher priority despite the low base score.
Frequently asked questions
Do I need to patch if I don't use CMDB or CustomerGroupSupport?
No. This vulnerability only manifests if both CMDB is enabled and CustomerGroupSupport is configured. If either is disabled, you are not affected. Verify your OTRS system configuration to confirm.
What exactly can an attacker see if they exploit this?
An attacker with valid customer credentials can query and view Configuration Item (CI) information from the CMDB that should be restricted by their customer group. This typically includes asset names, hardware details, software versions, and related infrastructure metadata. They cannot modify or delete this information—it is an information-disclosure issue only.
Is this vulnerability exploited in the wild?
This vulnerability is not currently tracked in the CISA KEV (Known Exploited Vulnerabilities) catalog, meaning there is no evidence of active real-world exploitation as of the publication date. However, organizations should still patch in accordance with their vulnerability management policy.
Can this be exploited without valid customer credentials?
No. The vulnerability requires authentication; an unauthenticated attacker cannot exploit it. Access is limited to users with valid customer-level accounts.
This analysis is based on the CVE record and vendor information available as of June 2026. Actual impact may vary based on your specific OTRS deployment, customizations, and data sensitivity. Verify all patch version numbers and availability directly with the OTRS vendor before implementing. This content is for informational purposes and does not constitute professional security advice; consult your security team or a qualified vendor to assess your organization's exposure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48191LOWOTRS STORM Metadata Disclosure via Incorrect Permissions
- CVE-2026-49157HIGHApache ActiveMQ Jolokia Authorization Bypass Allows Privilege Escalation
- CVE-2026-48187MEDIUMOTRS Email Handler Denial of Service – Uncontrolled Resource Allocation
- CVE-2026-48189MEDIUMOTRS Customer Backend Group Access Bypass (MEDIUM)
- CVE-2026-48208MEDIUMOTRS SVG Denial-of-Service Vulnerability – Patch Guidance
- CVE-2026-48209HIGHReflected XSS in OTRS Ticket Handling – HIGH Severity Vulnerability
- CVE-2026-48210MEDIUMOTRS 2026.3.1 Ticket Forwarding Data Exposure Vulnerability
- CVE-2024-42206LOWHCL iReflection Third-Party Component Vulnerability