{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6060", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "state": "PUBLISHED", "assignerShortName": "OTRS", "dateReserved": "2026-04-10T08:43:26.385Z", "datePublished": "2026-04-20T18:20:01.664Z", "dateUpdated": "2026-04-20T18:48:48.185Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["SQL Box"], "product": "OTRS", "vendor": "OTRS AG", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"lessThanOrEqual": "2026.2.x", "status": "affected", "version": "2026.x", "versionType": "patch"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Special thanks to Matthias Terlinde for reporting this vulnerability"}], "datePublic": "2026-04-20T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the system<p>This issue affects OTRS:&nbsp;</p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.3.X</li></ul><p><br></p>"}], "value": "A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:\u00a0\n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.3.X"}], "impacts": [{"capecId": "CAPEC-125", "descriptions": [{"lang": "en", "value": "CAPEC-125 Flooding"}]}, {"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-04-20T18:20:01.664Z"}, "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-01/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to OTRS 2026.3.1. or later. Please note that there will be no OTRS 7 patches<br>"}], "value": "Update to OTRS 2026.3.1. or later. Please note that there will be no OTRS 7 patches"}], "source": {"advisory": "OSA-2026-01", "defect": ["Ticket#2025021142001359", "Issue#3460"], "discovery": "USER"}, "title": "Possible DoS via SQL Box", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Remove SQL Box from Admin Interface via System Configuration"}], "value": "Remove SQL Box from Admin Interface via System Configuration"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-20T18:47:46.149327Z", "id": "CVE-2026-6060", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:48:48.185Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6060", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-20T18:47:46.149327Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-20T18:48:38.481Z"}}], "cna": {"title": "Possible DoS via SQL Box", "source": {"defect": ["Ticket#2025021142001359", "Issue#3460"], "advisory": "OSA-2026-01", "discovery": "USER"}, "credits": [{"lang": "en", "type": "reporter", "value": "Special thanks to Matthias Terlinde for reporting this vulnerability"}], "impacts": [{"capecId": "CAPEC-125", "descriptions": [{"lang": "en", "value": "CAPEC-125 Flooding"}]}, {"capecId": "CAPEC-130", "descriptions": [{"lang": "en", "value": "CAPEC-130 Excessive Allocation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OTRS AG", "modules": ["SQL Box"], "product": "OTRS", "versions": [{"status": "affected", "version": "7.0.x"}, {"status": "affected", "version": "8.0.x"}, {"status": "affected", "version": "2023.x"}, {"status": "affected", "version": "2024.x"}, {"status": "affected", "version": "2025.x"}, {"status": "affected", "version": "2026.x", "versionType": "patch", "lessThanOrEqual": "2026.2.x"}], "defaultStatus": "unknown"}], "solutions": [{"lang": "en", "value": "Update to OTRS 2026.3.1. or later. Please note that there will be no OTRS 7 patches", "supportingMedia": [{"type": "text/html", "value": "Update to OTRS 2026.3.1. or later. Please note that there will be no OTRS 7 patches<br>", "base64": false}]}], "datePublic": "2026-04-20T07:00:00.000Z", "references": [{"url": "https://otrs.com/release-notes/otrs-security-advisory-2026-01/"}], "workarounds": [{"lang": "en", "value": "Remove SQL Box from Admin Interface via System Configuration", "supportingMedia": [{"type": "text/html", "value": "Remove SQL Box from Admin Interface via System Configuration", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:\u00a0\n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.3.X", "supportingMedia": [{"type": "text/html", "value": "A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the system<p>This issue affects OTRS:&nbsp;</p><ul><li>7.0.X</li><li>8.0.X</li><li>2023.X</li><li>2024.X</li><li>2025.X</li><li>2026.X before 2026.3.X</li></ul><p><br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "shortName": "OTRS", "dateUpdated": "2026-04-20T18:20:01.664Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6060", "state": "PUBLISHED", "dateUpdated": "2026-04-20T18:48:48.185Z", "dateReserved": "2026-04-10T08:43:26.385Z", "assignerOrgId": "2e1bf29f-dc29-4ed8-830c-7b9348b6f0e8", "datePublished": "2026-04-20T18:20:01.664Z", "assignerShortName": "OTRS"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the SQL Box in the admin interface of OTRS leads to an uncontrolled resource consumption leading to a DoS against the webserver. will be killed by the systemThis issue affects OTRS:\u00a0\n\n * 7.0.X\n * 8.0.X\n * 2023.X\n * 2024.X\n * 2025.X\n * 2026.X before 2026.3.X"}], "id": "CVE-2026-6060", "lastModified": "2026-04-20T19:16:11.043", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 3.6, "source": "security@otrs.com", "type": "Secondary"}]}, "published": "2026-04-20T19:16:11.043", "references": [{"source": "security@otrs.com", "url": "https://otrs.com/release-notes/otrs-security-advisory-2026-01/"}], "sourceIdentifier": "security@otrs.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-770"}], "source": "security@otrs.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T00:02:29.830536+00:00", "value": {"mitigation_remediation": ["Update the OTRS installation to version 2026.3.1 or later, which removes the vulnerable SQL Box behavior.", "If an immediate upgrade is not possible, delete or disable the SQL Box feature by modifying the system configuration in the admin interface.", "Restrict access to the administration console to trusted personnel or secure network segments to reduce the risk of abuse."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service (resource exhaustion causing server downtime)"}, "threat_synthesis": {"affected_systems": "The affected product is OTRS by OTRS AG. Versions 7.0.x, 8.0.x, 2023.x, 2024.x, 2025.x, and all 2026.x releases prior to 2026.3.x are vulnerable.", "description_and_impact": "The vulnerability lies in the SQL Box component of the OTRS administration interface and results in uncontrolled resource consumption. When an attacker submits queries that trigger excessive CPU or memory usage, the process may be terminated, causing a denial of service for the webserver. This vulnerability does not allow direct data exfiltration or integrity compromise; its primary impact is on availability, as indicated by the CWE list.", "risk_and_exploitability": "The CVSS score of 4.5 indicates moderate severity; no EPSS data is available and the vulnerability is not listed in CISA KEV. The likely attack vector involves the web-based administration interface, where a user with sufficient privileges can trigger resource-heavy queries. Successful exploitation disrupts availability but does not directly compromise confidentiality or integrity."}}}}, "created": "2026-04-21T00:15:16.113996+00:00", "updated": "2026-04-21T00:15:16.114007+00:00", "vendors": []}