CVE-2026-48187 (GCVE-0-2026-48187)

Vulnerability from cvelistv5 – Published: 2026-06-01 03:33 – Updated: 2026-06-01 03:33
VLAI
Title
Email with special content can lead to DoS
Summary
An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS: * 8.0.X * 2023.X * 2024.X * 2025.X * 2026.X before 2026.4.X Please note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected
Severity
5.7 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
CWE
  • CWE-400 - Uncontrolled Resource Consumption
  • CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
Impacted products
Vendor Product Version
OTRS AG OTRS Unknown: 7.0.x
Affected: 8.0.x
Affected: 2023.x
Affected: 2024.x
Affected: 2025.x
Affected: 2026.x , ≤ 2026.3.x (patch)
Create a notification for this product.
OTRS AG ((OTRS)) Community Edition Unknown: 6.x
Create a notification for this product.
Date Public
2026-06-01 07:00
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "modules": [
            "Mail Backend"
          ],
          "product": "OTRS",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "unknown",
              "version": "7.0.x"
            },
            {
              "status": "affected",
              "version": "8.0.x"
            },
            {
              "status": "affected",
              "version": "2023.x"
            },
            {
              "status": "affected",
              "version": "2024.x"
            },
            {
              "status": "affected",
              "version": "2025.x"
            },
            {
              "lessThanOrEqual": "2026.3.x",
              "status": "affected",
              "version": "2026.x",
              "versionType": "patch"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "((OTRS)) Community Edition",
          "vendor": "OTRS AG",
          "versions": [
            {
              "status": "unknown",
              "version": "6.x"
            }
          ]
        }
      ],
      "datePublic": "2026-06-01T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.\u003cp\u003eThis issue affects OTRS:\u003c/p\u003e\u003cul\u003e\u003cli\u003e8.0.X\u003c/li\u003e\u003cli\u003e2023.X\u003c/li\u003e\u003cli\u003e2024.X\u003c/li\u003e\u003cli\u003e2025.X\u003c/li\u003e\u003cli\u003e2026.X before 2026.4.X\u003c/li\u003e\u003c/ul\u003ePlease note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected"
            }
          ],
          "value": "An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS:\n\n  *  8.0.X\n  *  2023.X\n  *  2024.X\n  *  2025.X\n  *  2026.X before 2026.4.X\n\nPlease note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected"
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-130",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-130 Excessive Allocation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-01T03:33:23.990Z",
        "orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
        "shortName": "OTRS"
      },
      "references": [
        {
          "url": "https://otrs.com/release-notes/otrs-security-advisory-2026-06/"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches\u003cbr\u003e"
            }
          ],
          "value": "Update to OTRS 2026.4.1. or later. Please note that there will be no OTRS 7 patches"
        }
      ],
      "source": {
        "advisory": "OSA-2026-06",
        "defect": [
          "Ticket#2026052110000214",
          "Issue#3890"
        ],
        "discovery": "USER"
      },
      "title": "Email with special content can lead to DoS",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8",
    "assignerShortName": "OTRS",
    "cveId": "CVE-2026-48187",
    "datePublished": "2026-06-01T03:33:23.990Z",
    "dateReserved": "2026-05-21T07:53:13.253Z",
    "dateUpdated": "2026-06-01T03:33:23.990Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-48187\",\"sourceIdentifier\":\"security@otrs.com\",\"published\":\"2026-06-01T04:16:22.410\",\"lastModified\":\"2026-06-01T04:16:22.410\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An uncontrolled allocation of resources without limits or throttling in the e-mail handling in OTRS allows excessive allocation which may lead to the abortion of the webserver.This issue affects OTRS:\\n\\n  *  8.0.X\\n  *  2023.X\\n  *  2024.X\\n  *  2025.X\\n  *  2026.X before 2026.4.X\\n\\nPlease note that ((OTRS)) Community Edition 6.x, OTRS 7.x and products based on the ((OTRS)) Community Edition also very likely to be affected\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H\",\"baseScore\":5.7,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.1,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security@otrs.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"},{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"references\":[{\"url\":\"https://otrs.com/release-notes/otrs-security-advisory-2026-06/\",\"source\":\"security@otrs.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.