EUVD-2026-20938
GHSA-gcvm-c75m-h4p4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Analysis
Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all Apache OpenMeetings deployments to identify affected versions (3.1.3-8.x) and document exposure scope. Within 7 days: Implement forced HTTPS with HSTS headers, disable GET-parameter authentication if POST alternative exists, and review server logs and proxy records for harvested credentials. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today