CVE-2026-48210

Published: May 31, 2026

Modified: Jun 1, 2026

PUBLISHED

CVSS v3.1

5.7

MEDIUM

Description

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1

Vendor	Product	Versions
OTRS AG	OTRS	affected `2026.3.1`

Weaknesses (CWE)

CWE-200

CWE-269

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://otrs.com/release-notes/otrs-security-advisory-2026-09/

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-48210

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References