{"api_version":"1","generated_at":"2026-06-01T08:44:16+00:00","cve":"CVE-2026-48190","urls":{"html":"https://cve.report/CVE-2026-48190","api":"https://cve.report/api/cve/CVE-2026-48190.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48190","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48190"},"summary":{"title":"Incorrect handling of permissions in External Interface Config Item List module","description":"An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupportĀ has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X","state":"PUBLISHED","assigner":"OTRS","published_at":"2026-06-01 04:16:22","updated_at":"2026-06-01 04:16:22"},"problem_types":["CWE-276","CWE-276 CWE-276 Incorrect Default Permissions"],"metrics":[{"version":"3.1","source":"security@otrs.com","type":"Secondary","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"3.5","severity":"LOW","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-04/","name":"https://otrs.com/release-notes/otrs-security-advisory-2026-04/","refsource":"security@otrs.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48190","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48190","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 7.0.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 8.0.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2023.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2024.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2025.x","platforms":[]},{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2026.x 2026.3.x patch","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unknown","modules":["External Interface","ConfigItem List"],"product":"OTRS","vendor":"OTRS AG","versions":[{"status":"affected","version":"7.0.x"},{"status":"affected","version":"8.0.x"},{"status":"affected","version":"2023.x"},{"status":"affected","version":"2024.x"},{"status":"affected","version":"2025.x"},{"lessThanOrEqual":"2026.3.x","status":"affected","version":"2026.x","versionType":"patch"}]}],"datePublic":"2026-06-01T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected.
This issue affects OTRS:
7.0.X
8.0.X
2023.X
2024.X
2025.X
2026.X before 2026.4.X
"}],"value":"An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupportĀ has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X"}],"impacts":[{"capecId":"CAPEC-54","descriptions":[{"lang":"en","value":"CAPEC-54 Query System for Information"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":3.5,"baseSeverity":"LOW","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-276","description":"CWE-276 Incorrect Default Permissions","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-01T03:32:53.621Z","orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS"},"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-04/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches "}],"value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}],"source":{"advisory":"OSA-2026-04","defect":["Ticket#2026052110000171","Issue#3939"],"discovery":"USER"},"title":"Incorrect handling of permissions in External Interface Config Item List module","x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","assignerShortName":"OTRS","cveId":"CVE-2026-48190","datePublished":"2026-06-01T03:32:53.621Z","dateReserved":"2026-05-21T07:53:13.254Z","dateUpdated":"2026-06-01T03:32:53.621Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-01 04:16:22","lastModifiedDate":"2026-06-01 04:16:22","problem_types":["CWE-276","CWE-276 CWE-276 Incorrect Default Permissions"],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N","baseScore":3.5,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48190","Ordinal":"1","Title":"Incorrect handling of permissions in External Interface Config I","CVE":"CVE-2026-48190","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48190","Ordinal":"1","NoteData":"An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupportĀ has to be used to be affected.\n\nThis issue affects OTRS: \n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.4.X","Type":"Description","Title":"Incorrect handling of permissions in External Interface Config I"}]}}}