LOW 3.5

CVE-2026-48191: OTRS STORM Metadata Disclosure via Incorrect Permissions

A permissions bug in OTRS and STORM-powered OTRS allows authenticated users to discover metadata about configuration items (CIs), SLA levels, and services—such as how many are affected—without having actual access to view or modify them. An attacker needs valid login credentials and must interact with the Document Search Article Meta Filters modules to extract this information. While the exposure is limited to metadata disclosure rather than data access, it can provide reconnaissance value to an insider threat or compromised account holder.

Source data · NVD / CISA · public domain

CVSS
3.1 · 3.5 LOW · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-276
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules allows gaining knowledge about number of affected CIs, SLA and services without gaining access to them. This issue affects OTRS with STORM modules: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48191 stems from improper permission validation in the Document Search Article Meta Filters functionality within OTRS and STORM. The vulnerability allows an authenticated user with limited privileges to enumerate sensitive metadata through meta filter queries. The flaw does not grant access to protected resources themselves, only to aggregated counts and categorical information about CIs, SLAs, and associated services. This represents an authorization bypass at the information-disclosure layer, classified under CWE-276 (Incorrect Default Permissions).

Business impact

The primary business risk is information leakage that enables social engineering, further reconnaissance, or targeted privilege escalation. An attacker gaining knowledge of SLA dependencies and CI counts can better plan follow-on attacks or identify high-value targets within the IT Service Management (ITSM) infrastructure. For organizations using OTRS as their core ticketing and asset-tracking system, this creates a secondary attack surface that could inform a more sophisticated breach. Compliance implications depend on industry: healthcare and financial services must evaluate whether metadata counts fall under regulated data categories.

Affected systems

All OTRS and STORM-powered OTRS deployments running version 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and 2026.x (before 2026.4.x) are affected. Versions 2026.4.x and later patch the issue. Customers on unsupported legacy versions (e.g., older 6.x branches) are not explicitly listed as vulnerable but should verify against vendor security advisories. The vulnerability requires authentication; unauthenticated users cannot exploit it.

Exploitability

Exploitability is moderate in practical terms. An attacker must first obtain valid OTRS credentials—either through compromise, insider threat, or shared account scenarios—and then interact with the web interface (User Interaction required per CVSS). No network access restrictions apply; the attack surface is available to any authenticated user. Automated tooling could enumerate metadata at scale if integrated into a post-compromise reconnaissance workflow. The CVSS 3.1 score of 3.5 (LOW) reflects the limited impact (confidentiality only) and authentication requirement, though the practical value for reconnaissance should not be underestimated.

Remediation

Upgrade OTRS or STORM-powered OTRS to version 2026.4.x or later. Organizations unable to patch immediately should restrict Document Search and Article Meta Filters access to trusted administrator accounts and monitor usage logs for unusual enumeration queries. Review OTRS role-based access control (RBAC) policies to ensure least-privilege principles are enforced. If running unsupported versions (7.0, 8.0, 2023–2025), contact Znuny/OTRS for extended support or migration guidance.

Patch guidance

Verify the availability of patch 2026.4.x or later from your OTRS vendor channel or Znuny (if using STORM). Test the patch in a staging environment focusing on meta filter functionality and permission enforcement across different user roles. After patching, confirm that metadata enumeration is no longer possible by attempting to query filter results as a non-administrative user. Update your ITSM change log and communicate patch deployment timelines to stakeholders relying on OTRS availability.

Detection guidance

Monitor OTRS audit logs for repeated meta filter queries from low-privileged accounts, especially patterns that enumerate SLA or CI metadata without subsequent access attempts. Check for Document Search module activity from accounts that do not typically require meta-level visibility. Implement Web Application Firewall (WAF) rules to throttle or flag high-frequency filter requests. Review OTRS access logs for sessions that query meta filters across multiple SLA or CI categories in short timeframes—a potential sign of reconnaissance.

Why prioritize this

Although the CVSS score is LOW (3.5), this vulnerability should be prioritized for remediation because it enables information disclosure in a system-of-record environment (ITSM ticketing). The combination of authentication requirement and metadata-only impact makes it a secondary vector in a multi-stage attack chain. Organizations with mature insider-threat detection or strong access controls can deprioritize slightly, but those with shared OTRS accounts or weak user segmentation should patch sooner. The January 2026 publication date suggests this is a relatively recent discovery in actively maintained code.

Risk score, explained

The CVSS 3.1 score of 3.5 reflects: Network Accessible (AV:N), Low Attack Complexity (AC:L), Requires Login (PR:L), User Interaction mandatory (UI:R), no impact on System scope (S:U), and Low Confidentiality impact (C:L) with no Integrity or Availability harm. The LOW severity is justified because actual data access is not compromised—only metadata counts are leaked. However, in security landscapes where reconnaissance is treated as a critical early-stage attack vector, the practical risk may warrant elevated priority despite the low numeric score.

Frequently asked questions

Do I need administrative access to exploit this vulnerability?

No. Any authenticated OTRS user can exploit it, including those with minimal privileges. The bug lies in permission checks applied to meta filter operations, not in account-level access control. However, an attacker would still need valid login credentials.

Can this vulnerability be exploited remotely?

Yes. OTRS is network-accessible by design, and the vulnerable module is exposed over HTTP/HTTPS. An attacker with valid credentials can exploit it from anywhere with network connectivity to the OTRS instance.

Does this vulnerability expose actual ticket or CI data?

No. The vulnerability discloses only aggregated metadata—such as counts of affected CIs, SLA levels, and service associations. Individual ticket contents, customer data, or protected CI details remain access-controlled. However, this metadata can enable targeted reconnaissance.

What should I do if I cannot patch immediately?

Restrict Document Search and Article Meta Filters access to administrator roles only, monitor audit logs for suspicious meta filter queries, and evaluate whether your OTRS instance can be placed behind additional authentication (e.g., VPN, SSO with MFA). Contact Znuny for extended support or workaround guidance specific to your version.

This explainer is based on vendor-published information as of June 2026. Exploit details and active attack telemetry are not included. Organizations should verify all patch versions, support timelines, and compatibility with their OTRS deployment against official Znuny/OTRS security advisories before applying updates. SEC.co makes no warranty regarding the completeness or applicability of this analysis to any specific environment. Always consult with your OTRS vendor and perform testing in non-production environments before patching production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).