CVE-2026-48190— Incorrect handling of permissions in External Interface Config Item List module
Possible ATT&CK Techniques 1AI
T1005 · Data from Local SystemGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-48190
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Incorrect handling of permissions in External Interface Config Item List module
Source: NVD (National Vulnerability Database)
Vulnerability Description
An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query the system for CI information. Please note that CMDB has to be anabled and CustomerGroupSupport has to be used to be affected. This issue affects OTRS: * 7.0.X * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
缺省权限不正确
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-48190
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-48190
请登录查看更多情报信息。
Same Patch Batch · OTRS AG · 2026-06-01 · 7 CVEs total
| CVE-2026-48188 | 9.1 CRITICAL | SQL Injection via MySQL Quote Method |
| CVE-2026-48209 | 7.1 HIGH | Reflected XSS in authenticated agent context |
| CVE-2026-48208 | 6.5 MEDIUM | Denial-of-Service via SVG Rendering in Ticket |
| CVE-2026-48187 | 5.7 MEDIUM | Email with special content can lead to DoS |
| CVE-2026-48189 | 5.7 MEDIUM | Bypass DedicatedAgentToCustomerGroups Setting |
| CVE-2026-48191 | 3.5 LOW | Wrong Permission Handling in Document Search Article Meta Filters |
IV. Related Vulnerabilities
Same product: OTRS
Same vendor: OTRS AG
Same weakness: CWE-276
- CVE-2026-49157
Apache ActiveMQ: Authenticated low-privilege Web users retai - CVE-2026-48191
Wrong Permission Handling in Document Search Article Meta Fi - CVE-2026-33590
Insecure default permissions in Portainer CE - CVE-2026-49237
Local Privilege Escalation in Canonical Multipass - CVE-2026-44469
Incorrect Default Permissions in CODESYS Development System
V. Comments for CVE-2026-48190
No comments yet