CVE-2026-48210

MEDIUM

OTRS - Possible Information Disclosure via External Interface

Title source: rule

Description

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1

References (1)

Core 1

Core References

https://otrs.com/release-notes/otrs-security-advisory-2026-09/

Scores

CVSS v3 5.7

EPSS 0.0025

EPSS Percentile 15.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200 CWE-269

Status published

Products (2)

otrs/otrs 2026.3.1

OTRS AG/OTRS 2026.3.1

Published May 31, 2026

Tracked Since Jun 01, 2026