Skip to main content

Apache CVE-2026-34020

| EUVDEUVD-2026-20938 HIGH
Use of GET Request Method With Sensitive Query Strings (CWE-598)
2026-04-09 apache GHSA-gcvm-c75m-h4p4
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 11, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 16:00 euvd
EUVD-2026-20938
Analysis Generated
Apr 09, 2026 - 16:00 vuln.today
CVE Published
Apr 09, 2026 - 15:52 nvd
HIGH 7.5

DescriptionCVE.org

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact

This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

AnalysisAI

Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. CVSS 7.5 HIGH reflects unauthenticated network-accessible information disclosure with no user interaction required. No public exploit identified at time of analysis, low observed exploitation activity (EPSS 0.02%).

Technical ContextAI

CWE-598 violation: REST authentication endpoint transmits plaintext credentials via GET query strings instead of POST body or Authorization headers. Query parameters persist in browser history, web server access logs, reverse proxy logs, and HTTP referrer headers when users navigate to external sites, creating multiple credential exposure vectors across infrastructure layers.

RemediationAI

Vendor-released patch: upgrade to Apache OpenMeetings 9.0.0, which redesigns the REST login endpoint to use POST method with credentials in request body instead of GET query parameters. No workarounds available for affected versions; the architectural flaw requires code-level correction. Organizations unable to upgrade immediately should disable REST API access and enforce alternative authentication methods. Review and purge historical server access logs, proxy logs, and browser histories containing exposed credentials. Rotate all credentials that may have been logged. Official advisory: https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db. Additional context on query string exposure risks: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url.

Share

CVE-2026-34020 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy