CVE-2026-48189 - Vulnerability Details - OpenCVE

An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Otrs	Otrs

No data.

No data.

References

Link	Providers
https://otrs.com/release-notes/otrs-security-advisory-2026-03/

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Otrs Otrs otrs
Vendors & Products		Otrs Otrs otrs

Mon, 01 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Title		Bypass DedicatedAgentToCustomerGroups Setting
Weaknesses		CWE-200
References		https://otrs.com/release-notes/otrs-security-advisory-2026-03/
Metrics		cvssV3_1 `{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: OTRS

Published: 2026-06-01T03:33:03.373Z

Updated: 2026-06-01T13:14:49.791Z

Reserved: 2026-05-21T07:53:13.254Z

Link: CVE-2026-48189

Vulnrichment

Updated: 2026-06-01T13:14:45.902Z

NVD

Status : Awaiting Analysis

Published: 2026-06-01T04:16:22.723

Modified: 2026-06-01T18:12:56.073

Link: CVE-2026-48189

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-48189", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-05-21T07:53:13.254Z", "datePublished": "2026-06-01T03:33:03.373Z", "dateUpdated": "2026-06-01T13:14:49.791Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "modules": ["Customer Backend"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"lessThanOrEqual": "2026.3.x", "status": "affected", "version": "2026.x", "versionType": "patch"}]}], "datePublic": "2026-06-01T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and <code>CustomerGroupSupport</code> has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><br><p></p>"}], "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and\u00a0CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}], "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:33:03.373Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2026-03", "defect": ["Ticket#2026052110000161", "Issue#3780"], "discovery": "USER"}, "title": "Bypass DedicatedAgentToCustomerGroups Setting", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-01T13:14:38.008285Z", "id": "CVE-2026-48189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T13:14:49.791Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-48189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-01T13:14:38.008285Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T13:14:45.902Z"}}], "cna": {"title": "Bypass DedicatedAgentToCustomerGroups Setting", "source": {"defect": ["Ticket#2026052110000161", "Issue#3780"], "advisory": "OSA-2026-03", "discovery": "USER"}, "impacts": [{"capecId": "CAPEC-54", "descriptions": [{"lang": "en", "value": "CAPEC-54 Query System for Information"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OTRS AG", "modules": ["Customer Backend"], "product": "OTRS", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"status": "affected", "version": "2026.x", "versionType": "patch", "lessThanOrEqual": "2026.3.x"}], "defaultStatus": "affected"}], "solutions": [{"lang": "en", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches", "supportingMedia": [{"type": "text/html", "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>", "base64": false}]}], "datePublic": "2026-06-01T07:00:00.000Z", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and\u00a0CustomerGroupSupport\u00a0has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X", "supportingMedia": [{"type": "text/html", "value": "An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and <code>CustomerGroupSupport</code> has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><br><p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-06-01T03:33:03.373Z"}}}, "cveMetadata": {"cveId": "CVE-2026-48189", "state": "PUBLISHED", "dateUpdated": "2026-06-01T13:14:49.791Z", "dateReserved": "2026-05-21T07:53:13.254Z", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "datePublished": "2026-06-01T03:33:03.373Z", "assignerShortName": "OTRS"}, "dataVersion": "5.2"}