Skip to main content

Apache CVE-2026-33005

| EUVDEUVD-2026-20934 MEDIUM
Improper Handling of Insufficient Privileges (CWE-274)
2026-04-09 apache GHSA-78cg-fc6c-w44w
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 16:00 euvd
EUVD-2026-20934
Analysis Generated
Apr 09, 2026 - 16:00 vuln.today
CVE Published
Apr 09, 2026 - 15:52 nvd
MEDIUM 4.3

DescriptionCVE.org

Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.

Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.

This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

AnalysisAI

Apache OpenMeetings versions 3.10 through 8.x allow authenticated users to enumerate file and folder metadata across the system through improper access control in web service APIs, exposing file names, IDs, types, and other metadata fields without authorization to access those resources. This affects all Apache OpenMeetings installations from 3.10 before 9.0.0, where any registered user can query arbitrary folder IDs to retrieve metadata listings. The vulnerability requires valid user credentials (low-privilege authenticated access) and poses a moderate information disclosure risk with an EPSS exploitation probability of 0.01% (3rd percentile), indicating minimal real-world exploitation likelihood despite the low attack complexity.

Technical ContextAI

The vulnerability stems from insufficient privilege validation in Apache OpenMeetings' web service layer when handling file and folder queries (CWE-274: Improper Handling of Insufficient Privileges). The affected code path involves the FileItemDTO object, which exposes metadata fields (id, type, name, and additional attributes documented in the FileItemDTO class) through query operations. Authenticated users can construct web service requests with arbitrary folder IDs to bypass authorization checks that should restrict access to folders owned by or explicitly shared with the requesting user. The attack leverages the application's REST API endpoints that handle file/folder retrieval operations, which fail to enforce resource-level access control despite validating user authentication status.

RemediationAI

Upgrade Apache OpenMeetings to version 9.0.0 or later, which resolves the insufficient privilege handling vulnerability. Organizations unable to upgrade immediately should implement network-level access controls to restrict web service API endpoints to trusted internal networks or implement additional authentication mechanisms such as API key rotation and rate limiting to reduce the practical exploitation window. Review user permissions and consider disabling API access for users who do not require programmatic file access. Detailed remediation guidance is available in the official Apache OpenMeetings advisory at https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7.

Share

CVE-2026-33005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy