Information Disclosure
Description
It's possible to craft Lost Password requests with wildcards in the Token value, which allows attacker to retrieve valid Token(s), generated by users which already requested new passwords. This issue affects: ((OTRS)) Community Edition 5.0.41 and prior versions, 6.0.26 and prior versions. OTRS: 7.0.15 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Lost Password requests with wildcards in the Token value allow an attacker to retrieve valid tokens, enabling unauthorized password changes in OTRS.
Vulnerability
The Lost Password functionality in OTRS (Community Edition 5.0.41 and prior, 6.0.26 and prior; OTRS 7.0.15 and prior) accepts wildcard characters in the Token value when processing password reset requests [1]. This allows an attacker to bypass the token validation mechanism and retrieve valid tokens generated by users who previously requested a password change [1].
Exploitation
An unauthenticated attacker with network access to the OTRS instance can craft Lost Password requests containing wildcards in the Token parameter [1]. By sending such requests, the attacker can enumerate or retrieve valid tokens generated by other users who have requested password resets [1]. The attacker does not require any prior authentication or user interaction, though the attack complexity is considered high due to the need to craft the request appropriately [1].
Impact
Successful exploitation leads to unauthorized disclosure of password reset tokens (confidentiality impact) and potentially allows the attacker to reset passwords for other users, leading to unauthorized access (integrity impact) [1]. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N) indicates high confidentiality impact and low integrity impact, with a base score of 6.5 (MEDIUM) [1].
Mitigation
Fixed versions are available: OTRS 7.0.16, OTRS 6.0.27, and OTRS 5.0.42 (Community Edition) [1]. Patches are provided via GitHub commits for Community Edition 6.0.x and 5.0.x [1]. Users should upgrade to the latest fixed version or apply the provided patches. No workaround is disclosed in the advisory [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
9- Range: <=5.0.41, <=6.0.26
- osv-coords5 versionspkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/otrs&distro=openSUSE%20Leap%2015.2pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP1pkg:rpm/suse/otrs&distro=SUSE%20Package%20Hub%2015%20SP2
< 5.0.42-bp151.3.3.1+ 4 more
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 5.0.42-bp151.3.3.1
- (no CPE)range: < 6.0.29-bp152.2.5.4
- OTRS AG/((OTRS)) Community Editionv5Range: 5.0.x
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- lists.opensuse.org/opensuse-security-announce/2020-04/msg00038.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00066.htmlmitrevendor-advisory
- lists.opensuse.org/opensuse-security-announce/2020-09/msg00077.htmlmitrevendor-advisory
- lists.debian.org/debian-lts-announce/2020/05/msg00000.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2023/08/msg00040.htmlmitremailing-list
- otrs.com/release-notes/otrs-security-advisory-2020-09/mitre
News mentions
0No linked articles in our index yet.