Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
AnalysisAI
Apache OpenMeetings REST login endpoint exposes credentials through HTTP GET query parameters, enabling credential harvesting via browser history, server logs, referrer headers, and intermediate proxies. Affects versions 3.1.3 through 8.x. CVSS 7.5 HIGH reflects unauthenticated network-accessible information disclosure with no user interaction required. No public exploit identified at time of analysis, low observed exploitation activity (EPSS 0.02%).
Technical ContextAI
CWE-598 violation: REST authentication endpoint transmits plaintext credentials via GET query strings instead of POST body or Authorization headers. Query parameters persist in browser history, web server access logs, reverse proxy logs, and HTTP referrer headers when users navigate to external sites, creating multiple credential exposure vectors across infrastructure layers.
RemediationAI
Vendor-released patch: upgrade to Apache OpenMeetings 9.0.0, which redesigns the REST login endpoint to use POST method with credentials in request body instead of GET query parameters. No workarounds available for affected versions; the architectural flaw requires code-level correction. Organizations unable to upgrade immediately should disable REST API access and enforce alternative authentication methods. Review and purge historical server access logs, proxy logs, and browser histories containing exposed credentials. Rotate all credentials that may have been logged. Official advisory: https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db. Additional context on query string exposure risks: https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20938
GHSA-gcvm-c75m-h4p4