Apache OpenMeetings security advisories

Security information for Apache OpenMeetings

Reporting

Do you want disclose a potential security issue for Apache OpenMeetings? You can read more about the projects’ security policy on their security page, and email your report to the Apache OpenMeetings Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Login Credentials Passed via GET Query Parameters

CVE-2026-34020 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-09T15:52:02.110Z

Affected

  • Apache OpenMeetings from 3.1.3 before 9.0.0

Description

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact

This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

References

Credits

  • 4ra2n (A code security AI agent) (finder)

Hardcoded Remember-Me Cookie Encryption Key and Salt

CVE-2026-33266 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-09T15:52:32.475Z

Affected

  • Apache OpenMeetings from 6.1.0 before 9.0.0

Description

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.

This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

References

Credits

  • 4ra2n (A code security AI agent) (finder)

Insufficient checks in FileWebService

CVE-2026-33005 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-09T15:52:49.573Z

Affected

  • Apache OpenMeetings from 3.1.0 before 9.0.0

Description

Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.

Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.

This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

References

Credits

  • 4ra2n (A code security AI agent) (finder)

Deserialisation of untrusted data in cluster mode

CVE-2024-54676 [CVE] [CVE json] [OSV json]

Last updated: 2025-01-08T08:40:01.385Z

Affected

  • Apache OpenMeetings from 2.1 before 8.0.0

Description

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0

Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.
Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant 'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.

References

Credits

  • m0d9 from Tencent Yunding Lab (reporter)

allows null-byte Injection

CVE-2023-29246 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-12T01:21:14.732Z

Affected

  • Apache OpenMeetings from 2.0.0 before 7.1.0

Description

An attacker who has gained access to an admin account can perform RCE via null-byte injection

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0

References

Credits

  • Stefan Schiller (reporter)

allows bypass authentication

CVE-2023-29032 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-12T01:19:51.993Z

Affected

  • Apache OpenMeetings from 3.1.3 before 7.1.0

Description

An attacker that has gained access to certain private information can use this to act as other user.

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0

References

Credits

  • Stefan Schiller (reporter)

insufficient check of invitation hash

CVE-2023-28936 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-12T01:19:31.368Z

Affected

  • Apache OpenMeetings from 2.0.0 before 7.1.0

Description

Attacker can access arbitrary recording/room

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0

References

Credits

  • Stefan Schiller (reporter)

allows user impersonation

CVE-2023-28326 [CVE] [CVE json] [OSV json]

Last updated: 2023-03-28T14:34:57.762Z

Affected

  • Apache OpenMeetings from 2.0.0 before 7.0.0

Description

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0

Description: Attacker can elevate their privileges in any room


References

Credits

  • Dennis Zimmt (reporter)

Apache OpenMeetings: bandwidth can be overloaded with public web service

CVE-2021-27576 [CVE] [CVE json] [OSV json]

Last updated: 2021-03-14T11:56:54.481Z

Affected

  • Apache OpenMeetings from 4.0.0 before Apache OpenMeetings 4*
  • Apache OpenMeetings from Apache OpenMeetings 5 through 5.1.0

Description

If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0

References

Credits

  • This issue was identified by Trung Le, Chi Tran, Linh Cua