CVE-2026-48210

5.7 MEDIUM

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag...

Published: 2026-05-31 · Last updated: 2026-06-15

Severity and scoring

CVSS: 5.7 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-200, CWE-269

Affected products

Vendor	Product
otrs	otrs

Description

An improper default configuration in OTRS 2026.3.1 causes ticket article forwarding actions to enforce the “Is visible for customer” flag by default and prevent users from disabling it via the UI. This leads to unintended exposure of internal ticket information to the External Frontend This issue affects OTRS 2026.3.1

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48210
[Vendor advisory]https://otrs.com/release-notes/otrs-security-advisory-2026-09/

Related CVEs

Same vendor

CVE-2026-48209 — An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attacker... (7.1 HIGH)
CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to injec... (6.5 MEDIUM)
CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)
CVE-2026-48189 — An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to ... (5.7 MEDIUM)

Same CWE

CVE-2026-8385 — The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its d... (5.3 MEDIUM)
CVE-2026-12217 — A security vulnerability has been detected in DVDFab Virtual Drive 2.0.0.5 (7.8 HIGH)
CVE-2026-12203 — A vulnerability was found in HKUDS AI-Trader up to 74caf996f78dcc0c657df8365c8544678a16e215 (5.3 MEDIUM)
CVE-2026-49397 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (5.3 MEDIUM)
CVE-2026-47124 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.5 MEDIUM)