{"api_version":"1","generated_at":"2026-06-01T08:43:32+00:00","cve":"CVE-2026-48210","urls":{"html":"https://cve.report/CVE-2026-48210","api":"https://cve.report/api/cve/CVE-2026-48210.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-48210","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-48210"},"summary":{"title":"Possible information disclosure via External Interface","description":"An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1","state":"PUBLISHED","assigner":"OTRS","published_at":"2026-05-31 22:16:55","updated_at":"2026-05-31 22:16:55"},"problem_types":["CWE-200","CWE-269","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","CWE-269 CWE-269 Improper Privilege Management"],"metrics":[{"version":"3.1","source":"security@otrs.com","type":"Secondary","score":"5.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.7","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-09/","name":"https://otrs.com/release-notes/otrs-security-advisory-2026-09/","refsource":"security@otrs.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-48210","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-48210","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OTRS AG","product":"OTRS","version":"affected 2026.3.1","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Update to latest version of OTRS (2026.4.1. or later).","time":"","lang":"en"}],"workarounds":[{"source":"CNA","title":"","value":"Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it. \n\nCaution: Still the user has to check the checkbox on forwarding and uncheck it if needed","time":"","lang":"en"}],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["External Interface"],"product":"OTRS","vendor":"OTRS AG","versions":[{"status":"affected","version":"2026.3.1"}]}],"datePublic":"2026-06-01T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<div>An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend</div><div><div><br></div><div>This issue affects OTRS 2026.3.1</div></div>"}],"value":"An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1"}],"impacts":[{"capecId":"CAPEC-233","descriptions":[{"lang":"en","value":"CAPEC-233 Privilege Escalation"}]},{"capecId":"CAPEC-180","descriptions":[{"lang":"en","value":"CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-269","description":"CWE-269 Improper Privilege Management","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-31T21:11:25.337Z","orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS"},"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-09/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to latest version of OTRS (2026.4.1. or later).<br>"}],"value":"Update to latest version of OTRS (2026.4.1. or later)."}],"source":{"advisory":"OSA-2026-09","defect":["Ticket#2026052110000321","Issue#4853"],"discovery":"USER"},"title":"Possible information disclosure via External Interface","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration.&nbsp;You will find that by Is visible for customer is a line Disabled: 1. Change it to&nbsp;Disabled to 0 or remove it.&nbsp;<br><br><b>Caution: Still the user has to check the checkbox on forwarding and uncheck it if needed</b>"}],"value":"Go to Forms###AgentFrontend::TicketArticle::Action::Forward in System Configuration. You will find that by Is visible for customer is a line Disabled: 1. Change it to Disabled to 0 or remove it. \n\nCaution: Still the user has to check the checkbox on forwarding and uncheck it if needed"}],"x_generator":{"engine":"Vulnogram 0.1.0-dev"}}},"cveMetadata":{"assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","assignerShortName":"OTRS","cveId":"CVE-2026-48210","datePublished":"2026-05-31T21:11:25.337Z","dateReserved":"2026-05-21T12:12:49.646Z","dateUpdated":"2026-05-31T21:11:25.337Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-31 22:16:55","lastModifiedDate":"2026-05-31 22:16:55","problem_types":["CWE-200","CWE-269","CWE-200 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","CWE-269 CWE-269 Improper Privilege Management"],"metrics":{"cvssMetricV31":[{"source":"security@otrs.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.1,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"48210","Ordinal":"1","Title":"Possible information disclosure via External Interface","CVE":"CVE-2026-48210","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"48210","Ordinal":"1","NoteData":"An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend\n\nThis issue affects OTRS 2026.3.1","Type":"Description","Title":"Possible information disclosure via External Interface"}]}}}