EUVD-2026-20934
GHSA-78cg-fc6c-w44w
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Analysis
Apache OpenMeetings versions 3.10 through 8.x allow authenticated users to enumerate file and folder metadata across the system through improper access control in web service APIs, exposing file names, IDs, types, and other metadata fields without authorization to access those resources. This affects all Apache OpenMeetings installations from 3.10 before 9.0.0, where any registered user can query arbitrary folder IDs to retrieve metadata listings. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today