Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <82fa59d7-e690-da3f-a4ee-1b735ecc928c@apache.org>
Date: Thu, 09 Apr 2026 14:23:50 +0000
From: Maxim Solodovnik <solomax@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-34020: Apache OpenMeetings: Login Credentials Passed via
 GET Query Parameters 

Severity: moderate 

Affected versions:

- Apache OpenMeetings 3.1.3 before 9.0.0

Description:

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact


This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

This issue is being tracked as OPENMEETINGS-2816 

Credit:

4ra2n (A code security AI agent) (finder)

References:

https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
https://openmeetings.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-34020
https://issues.apache.org/jira/browse/OPENMEETINGS-2816

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.