Improper Configuration in OTRS 2026.3.1 Exposes Ticket Information
CVE-2026-48210

5.7MEDIUM

Key Information:

Vendor: Otrs Ag
Status: Otrs
Vendor: CVE Published:; 31 May 2026

What is CVE-2026-48210?

An improper default configuration in OTRS version 2026.3.1 allows ticket article forwarding to automatically set the 'Is visible for customer' flag, preventing users from changing this option via the user interface. This misconfiguration leads to the unintended exposure of sensitive internal ticket information to external users, highlighting a significant security oversight that could compromise data privacy.

Affected Version(s)

OTRS 2026.3.1

References

https://otrs.com/release-notes/otrs-security-advisory-202...

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 31, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48210 Data

JSON

Otrs Ag

What is CVE-2026-48210?

Affected Version(s)

References

CVSS V3.1

Timeline