Apache OpenMeetings: Login Credentials Passed via GET Query Parameters

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact

This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Basic Information

ID CVE-2026-34020

Source apache

Published Apr 9, 2026 at 15:52

Modified Apr 10, 2026 at 20:13

Affected Product

Vendor Apache Software Foundation

Product Apache OpenMeetings

Version 3.1.3

Affected Versions Apache Software Foundation Apache OpenMeetings 3.1.3

CWE Classification

CWE-598

References

{
    "lastseen": "",
    "description": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters.\u00a0Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.",
    "published": "2026-04-09T15:52:06.599Z",
    "modified": "2026-04-10T20:13:47.789Z",
    "type": "cve",
    "title": "Apache OpenMeetings: Login Credentials Passed via GET Query Parameters",
    "source": "apache",
    "references": "https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url\nhttps://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db",
    "id": "CVE-2026-34020",
    "bulletinFamily": "",
    "cwe": [
        "CWE-598"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache OpenMeetings 3.1.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache OpenMeetings",
    "version": "3.1.3",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache OpenMeetings: Login Credentials Passed via GET Query Parameters_CVE-2026-34020