SECURITY ADVISORY
- PUBLISHING DATE:
- RELEASE TYPE:
- CRITICALITY:
- AFFECTED VERSION:
- April 23, 2026
- Security Patch Release
- MEDIUM
- OTOBO 11.0
Security Fixes
- [Security] Updated
Compress::Raw::Zlibto address CVE-2026-3381 in Docker environments – The dependencyCompress::Raw::Zlibhas been updated to close a vulnerability that could affect Docker-based OTOBO installations. Non-Docker systems are generally not affected. [#5269] - [Security] Updated
Mozilla::CA– The optional dependencyMozilla::CA, suggested as default configuration in several places, has been updated to the latest version to keep the certificate store current. [#5245] - [Security] CVE-2025-59490: Fixed XSS vulnerabilities – We closed cross-site scripting (XSS) vulnerabilities allowing attackers to execute malicious code in users’ browsers after those clicking on malicious links. All users are strongly advised to update to this version. [#5358, #5419]
- [Security] CVE-2025-59393: Improved password masking in the Support Bundle generator – Passwords and sensitive credentials are now more reliably redacted when generating a support bundle, preventing accidental exposure of access data. [#5376]
- [Security] Removed stack traces from frontend error messages – Stack traces are no longer exposed in frontend error messages, as they could reveal internal system information and potentially serve as an attack vector. [#5359]
Enhancements
- [Enhancement] Improved output in the database update script for rel-11_0 – The database update script for rel-11_0 now provides more meaningful feedback during execution, making it significantly easier to diagnose issues and track update processes. [#5208]
- [Enhancement] Support for connect attributes in non-primary databases – Connection attributes can now be configured for non-primary databases as well, enabling more flexible and granular control over database connections. (Users running multiple databases in OTOBO – e.g. a separate one for archive data – can now define individual connection settings such as timeouts or character sets for each of these databases.) [#5110]
Changes
- [Change] Email X-headers as an external source for dynamic fields – Email X-headers are now recognized and processed as an external data source for dynamic fields. This facilitates to also set dynamic reference fields via email parsing. [#5164]
Bug Fixes
- [Bugfix] Broken links to external icons and data leak – Broken links to external icons have been fixed and an associated data leak has been closed. [#5212]
- [Bugfix] AgentTicketProcess and CustomerTicketProcess: hidden fields not displayed on initial page load – A bug has been fixed where hidden fields were not correctly shown when a process screen was loaded for the first time. [#5196]
- [Bugfix] Leeway parameter was not passed when decoding JWT tokens – The leeway parameter is now correctly passed to JWT token decoding, resolving issues with time tolerance validation of tokens. [#5211]
- [Bugfix] DF Ticket Reference: CustomerUserID is now correctly mapped to CustomerUserLogin for ticket search – When searching for tickets via dynamic fields with a ticket reference, the CustomerUserID was not correctly mapped to the CustomerUserLogin. This issue has been fixed. [#5300]
- [Bugfix] DF CustomerUser Reference: external source attribute “Email” was not working – The “Email” attribute as an external source in dynamic fields of type CustomerUser Reference is now processed correctly. [#5273]
- [Bugfix] DF CustomerUser Reference: implementation of FieldValueValidate – The
FieldValueValidatefunction has been implemented for dynamic fields of type CustomerUser Reference to ensure correct value validation. [#5277] - [Bugfix] QueueDefault could prevent dynamic field values from being saved – A bug has been fixed where the use of QueueDefault prevented values in dynamic fields from being correctly persisted. [#4962]
- [Bugfix] Queue set via URL did not correctly trigger ACLs in CustomerTicketMessage – When a queue was set via a URL parameter, associated ACLs were not reliably applied in the CustomerTicketMessage area. This issue has been fixed. [#5237]
- [Bugfix] Quick date buttons were not working on the Responsible screen – The quick date buttons were non-functional on the screen for assigning responsible agents. This issue has been fixed. [#5221]
- [Bugfix] ExternalURLJump: question marks and equals signs in configured links were not working – Special characters such as
?and=in ExternalURLJump links were not processed correctly. This issue has been fixed. [#5203] - [Bugfix] Fixed UI issues with labels in CustomerTicketProcess – Various display errors affecting labels in CustomerTicketProcess have been corrected. [#4985]
- [Bugfix] Deleting dynamic field attachments was not possible in the customer interface – Removing attachments in dynamic fields was not functional in the customer interface. This issue has been fixed. [#5348]
Next steps
Update to OTOBO 11.0.16
We recommend that you fix the vulnerabilities and benefit from the latest improvements. Please update your system.
Security patch? System update?
No need to handle it alone.
As a support customer, just reach out via our portal or give us a quick call – we’re here to help.
Haven’t worked with us yet? Maybe now’s the perfect time. We’ll be happy to support your next update. Just get in touch – we’d love to hear from you!
Company
OTOBO | Simplify work and create exceptional service experiences.
The Source Code Owner and Maintainer of OTOBO.
Software
Service Management Platform
OTOBO Demo
OTOBO Download
OTOBO Documentation
Report a security issues:
security@otobo.org
