{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-48189","assignerOrgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","state":"PUBLISHED","assignerShortName":"OTRS","dateReserved":"2026-05-21T07:53:13.254Z","datePublished":"2026-06-01T03:33:03.373Z","dateUpdated":"2026-06-01T13:14:49.791Z"},"containers":{"cna":{"affected":[{"defaultStatus":"affected","modules":["Customer Backend"],"product":"OTRS","vendor":"OTRS AG","versions":[{"status":"affected","version":"7.0.x"},{"status":"affected","version":"8.0.x"},{"status":"affected","version":"2023.x"},{"status":"affected","version":"2024.x"},{"status":"affected","version":"2025.x"},{"lessThanOrEqual":"2026.3.x","status":"affected","version":"2026.x","versionType":"patch"}]}],"datePublic":"2026-06-01T07:00:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and&nbsp;<code>CustomerGroupSupport</code>&nbsp;has to be used to be affected.<p></p><p>This issue affects OTRS: </p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.4.X</li></ul><br><p></p>"}],"value":"An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note that the feature has to be anabled and CustomerGroupSupport has to be used to be affected.\n\nThis issue affects OTRS: \n\n  *  7.0.X\n  *  8.0.X\n  *  2023.X\n  *  2024.X\n  *  2025.X\n  *  2026.X before 2026.4.X"}],"impacts":[{"capecId":"CAPEC-54","descriptions":[{"lang":"en","value":"CAPEC-54 Query System for Information"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.7,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200 Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8","shortName":"OTRS","dateUpdated":"2026-06-01T03:33:03.373Z"},"references":[{"url":"https://otrs.com/release-notes/otrs-security-advisory-2026-03/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches<br>"}],"value":"Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"}],"source":{"advisory":"OSA-2026-03","defect":["Ticket#2026052110000161","Issue#3780"],"discovery":"USER"},"title":"Bypass DedicatedAgentToCustomerGroups Setting","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-01T13:14:38.008285Z","id":"CVE-2026-48189","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-01T13:14:49.791Z"}}]}}