{"api_version":"1","generated_at":"2026-06-01T08:44:17+00:00","cve":"CVE-2026-48188","urls":{"html":"https://cve.report/CVE-2026-48188","api":"https://cve.report/api/cve/CVE-2026-48188.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48188","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48188"},"summary":{"title":"SQL Injection via MySQL Quote Method","description":"An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n  *  7.0.X\n  *  8.0.X\n  *  2023.X\n  *  2024.X\n  *  2025.X\n  *  2026.X before 2026.4.X\n  *  (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected","state":"PUBLISHED","assigner":"OTRS","published_at":"2026-06-01 04:16:22","updated_at":"2026-06-01 04:16:22"},"problem_types":["CWE-20","CWE-20 CWE-20 Improper Input Validation"],"metrics":[{"version":"3.1","source":"security@otrs.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-02/","name":"https://otrs.com/release-notes/otrs-security-advisory-2026-02/","refsource":"security@otrs.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48188","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48188","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 7.0.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 8.0.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2023.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2024.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2025.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2026.x 2026.3.x patch","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"((OTRS)) Community Edition","version":"affected 6.x","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Reconfigure MySQL/MariaDB servernot to use NO_BACKSLASH_ESCAPES SQL","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Special thanks to Daniel Triznafor reporting this vulnerability","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"affected","modules":["Database Layer"],"product":"OTRS","vendor":"OTRS AG","versions":[{"status":"affected","version":"7.0.x"},{"status":"affected","version":"8.0.x"},{"status":"affected","version":"2023.x"},{"status":"affected","version":"2024.x"},{"status":"affected","version":"2025.x"},{"lessThanOrEqual":"2026.3.x","status":"affected","version":"2026.x","versionType":"patch"}]},{"defaultStatus":"affected","product":"((OTRS)) Community Edition","vendor":"OTRS AG","versions":[{"status":"affected","version":"6.x"}]}],"credits":[{"lang":"en","type":"reporter","value":"Special thanks to Daniel Triznafor reporting this vulnerability"}],"datePublic":"2026-06-01T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition&nbsp;database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if&nbsp;the MySQL/MariaDB server is configured with the <code>NO_BACKSLASH_ESCAPES</code> SQL mode.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li><li>(OTRS)) Community Edition: 6.0.x<br></li></ul><div>Products based on the ((OTRS)) Community Edition also very likely to be affected</div><p></p>"}],"value":"An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n  *  7.0.X\n  *  8.0.X\n  *  2023.X\n  *  2024.X\n  *  2025.X\n  *  2026.X before 2026.4.X\n  *  (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected"}],"impacts":[{"capecId":"CAPEC-115","descriptions":[{"lang":"en","value":"CAPEC-115 Authentication Bypass"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-01T03:33:15.822Z","orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS"},"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-02/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}],"value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}],"source":{"advisory":"OSA-2026-02","defect":["Ticket#2026052110000134","Issue#4824","Issue#4859"],"discovery":"EXTERNAL"},"title":"SQL Injection via MySQL Quote Method","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Reconfigure&nbsp;MySQL/MariaDB servernot to use&nbsp;<code>NO_BACKSLASH_ESCAPES</code> SQL"}],"value":"Reconfigure MySQL/MariaDB servernot to use NO_BACKSLASH_ESCAPES SQL"}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","assignerShortName":"OTRS","cveId":"CVE-2026-48188","datePublished":"2026-06-01T03:33:15.822Z","dateReserved":"2026-05-21T07:53:13.254Z","dateUpdated":"2026-06-01T03:33:15.822Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-01 04:16:22","lastModifiedDate":"2026-06-01 04:16:22","problem_types":["CWE-20","CWE-20 CWE-20 Improper Input Validation"],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48188","Ordinal":"1","Title":"SQL Injection via MySQL Quote Method","CVE":"CVE-2026-48188","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48188","Ordinal":"1","NoteData":"An improper Input Validation vulnerability in OTRS or ((OTRS)) Community Edition database layer module allows an unauthenticated SQL injection which can lead to an authentication bypass. This issue only affects the system if the MySQL/MariaDB server is configured with the NO_BACKSLASH_ESCAPES SQL mode.\n\nThis issue affects OTRS: \n\n  *  7.0.X\n  *  8.0.X\n  *  2023.X\n  *  2024.X\n  *  2025.X\n  *  2026.X before 2026.4.X\n  *  (OTRS)) Community Edition: 6.0.x\n\nProducts based on the ((OTRS)) Community Edition also very likely to be affected","Type":"Description","Title":"SQL Injection via MySQL Quote Method"}]}}}