CVE-2026-48190

Name of the Vulnerable Software and Affected Versions OTRS versions 7.0.X OTRS versions 8.0.X OTRS versions 2023.X OTRS versions 2024.X OTRS versions 2025.X OTRS versions prior to 2026.4.X

Description Incorrect handling of permissions in the External Interface and the ConfigItem List module allows an authenticated customer to query the system for Configuration Item (CI) information. This issue occurs when the Configuration Management Database (CMDB) is enabled and CustomerGroupSupport is used.

Recommendations Update versions 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, and versions prior to 2026.4.X to a version that contains the fix. As a temporary mitigation, disable the CMDB or restrict the use of CustomerGroupSupport.