CVE-2026-48189

MEDIUM

OTRS - Bypass DedicatedAgentToCustomerGroups Setting

Title source: rule

Description

An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

References (1)

Core 1

Core References

https://otrs.com/release-notes/otrs-security-advisory-2026-03/

Scores

CVSS v3 5.7

EPSS 0.0019

EPSS Percentile 9.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-200

Status published

Products (7)

otrs/otrs 7.0.0 - 8.0.37

OTRS AG/OTRS 2023.x

OTRS AG/OTRS 2024.x

OTRS AG/OTRS 2025.x

OTRS AG/OTRS 2026.x - 2026.3.x

OTRS AG/OTRS 7.0.x

OTRS AG/OTRS 8.0.x

Published Jun 01, 2026

Tracked Since Jun 01, 2026