Apache OpenMeetings security advisories
Security information for Apache OpenMeetings
Reporting
Do you want disclose a potential security issue for Apache OpenMeetings? You can read more about the projects’ security policy on their security page, and email your report to the Apache OpenMeetings Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Login Credentials Passed via GET Query Parameters
CVE-2026-34020 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-09T15:52:02.110Z
Affected
- Apache OpenMeetings from 3.1.3 before 9.0.0
Description
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
References
- https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
- https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db
Credits
- 4ra2n (A code security AI agent) (finder)
Hardcoded Remember-Me Cookie Encryption Key and Salt
CVE-2026-33266 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-09T15:52:32.475Z
Affected
- Apache OpenMeetings from 6.1.0 before 9.0.0
Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.
This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
References
Credits
- 4ra2n (A code security AI agent) (finder)
Insufficient checks in FileWebService
CVE-2026-33005 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-09T15:52:49.573Z
Affected
- Apache OpenMeetings from 3.1.0 before 9.0.0
Description
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.
Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.
This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
References
- https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html
- https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7
Credits
- 4ra2n (A code security AI agent) (finder)
Deserialisation of untrusted data in cluster mode
CVE-2024-54676 [CVE] [CVE json] [OSV json]
Last updated: 2025-01-08T08:40:01.385Z
Affected
- Apache OpenMeetings from 2.1 before 8.0.0
Description
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.1.0 before 8.0.0
Description: Default clustering instructions at https://openmeetings.apache.org/Clustering.html doesn't specify white/black lists for OpenJPA this leads to possible deserialisation of untrusted data.Users are recommended to upgrade to version 8.0.0 and update their startup scripts to include the relevant
'openjpa.serialization.class.blacklist' and 'openjpa.serialization.class.whitelist' configurations as shown in the documentation.
References
Credits
- m0d9 from Tencent Yunding Lab (reporter)
allows null-byte Injection
CVE-2023-29246 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-12T01:21:14.732Z
Affected
- Apache OpenMeetings from 2.0.0 before 7.1.0
Description
An attacker who has gained access to an admin account can perform RCE via null-byte injection
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
References
Credits
- Stefan Schiller (reporter)
allows bypass authentication
CVE-2023-29032 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-12T01:19:51.993Z
Affected
- Apache OpenMeetings from 3.1.3 before 7.1.0
Description
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
References
Credits
- Stefan Schiller (reporter)
insufficient check of invitation hash
CVE-2023-28936 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-12T01:19:31.368Z
Affected
- Apache OpenMeetings from 2.0.0 before 7.1.0
Description
Attacker can access arbitrary recording/room
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.1.0
References
Credits
- Stefan Schiller (reporter)
allows user impersonation
CVE-2023-28326 [CVE] [CVE json] [OSV json]
Last updated: 2023-03-28T14:34:57.762Z
Affected
- Apache OpenMeetings from 2.0.0 before 7.0.0
Description
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
References
Credits
- Dennis Zimmt (reporter)
Apache OpenMeetings: bandwidth can be overloaded with public web service
CVE-2021-27576 [CVE] [CVE json] [OSV json]
Last updated: 2021-03-14T11:56:54.481Z
Affected
- Apache OpenMeetings from 4.0.0 before Apache OpenMeetings 4*
- Apache OpenMeetings from Apache OpenMeetings 5 through 5.1.0
Description
If was found that the NetTest web service can be used to overload the bandwidth of a Apache OpenMeetings server. This issue was addressed in Apache OpenMeetings 6.0.0
References
Credits
- This issue was identified by Trung Le, Chi Tran, Linh Cua