Skip to main content

Open Event Server EUVDEUVD-2026-45202

| CVE-2026-63101 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-07-17 VulnCheck GHSA-ggm5-8rm7-3jgc
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Remote, unauthenticated, low-complexity request to an endpoint missing auth (AV:N/AC:L/PR:N/UI:N) that discloses PII only, so C:H with I:N/A:N and no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:45 vuln.today
CVE Published
Jul 17, 2026 - 15:51 cve.org
HIGH 8.7

DescriptionCVE.org

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.

AnalysisAI

Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach internet-facing Open Event Server API
Delivery
Enumerate sequential group IDs
Exploit
POST to unauthenticated followers CSV export
Execution
Poll unauthenticated task-status endpoint
Persist
Retrieve download URL
Impact
Exfiltrate full member roster CSV

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Open Event Server through 1.19.1, since the CVSS 4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N and the export/status/download endpoints ship without any authentication decorator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are largely consistent and point to a genuine, easily-exploitable data-exposure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scripts requests against an internet-facing Open Event Server, iterating group IDs 1..N and POSTing to the unauthenticated followers CSV export endpoint for each. For every accepted job they poll the unauthenticated task-status endpoint until it returns a download URL, then fetch the CSV to harvest every member's name, email, join date, and role - with no credentials or user interaction, exactly as demonstrated in the public PoC.
Remediation No vendor-released patch version is identified in the available data (only advisory and PoC references are provided), so treat the fix version as unconfirmed and verify directly against the FOSSASIA open-event-server repository for a release above 1.19.1 that adds authentication to the followers export path. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately disable or restrict access to the group followers CSV export endpoint at the firewall or application layer, and require authentication on all export functions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45202 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy