PT-2026-45260 · Unknown+3 · Otrs Community Edition+3
Daniel Triznafor
·
Published
2026-06-01
·
Updated
2026-06-01
·
CVE-2026-48188
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
OTRS versions 7.0.x through 2026.3.x
OTRS Community Edition version 6.0.x
Description
Improper input validation in the database layer module allows an unauthenticated SQL injection, which can lead to an authentication bypass. This enables attackers to impersonate any user and access all tickets and sensitive data. The issue only occurs if the MySQL/MariaDB server is configured with the
NO BACKSLASH ESCAPES SQL mode.Recommendations
Update OTRS to version 2026.4 or newer.
As a temporary mitigation, ensure the MySQL/MariaDB server is not running with the
NO BACKSLASH ESCAPES SQL mode enabled.Fix
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mariadb
Mysql Server
Otrs
Otrs Community Edition