Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remote, unauthenticated, low-complexity request to an endpoint missing auth (AV:N/AC:L/PR:N/UI:N) that discloses PII only, so C:H with I:N/A:N and no scope change.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.
AnalysisAI
Sensitive information disclosure in FOSSASIA Open Event Server through 1.19.1 lets unauthenticated remote attackers export the full member roster of any group - email addresses, names, join dates, and roles - because the group followers CSV export endpoint carries no authentication decorator. Publicly available exploit code exists; the flaw is trivially automatable by enumerating sequential group IDs, triggering an export, and polling the unauthenticated task-status endpoint for the download URL. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default configurations of Open Event Server through 1.19.1, since the CVSS 4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:N and the export/status/download endpoints ship without any authentication decorator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are largely consistent and point to a genuine, easily-exploitable data-exposure issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scripts requests against an internet-facing Open Event Server, iterating group IDs 1..N and POSTing to the unauthenticated followers CSV export endpoint for each. For every accepted job they poll the unauthenticated task-status endpoint until it returns a download URL, then fetch the CSV to harvest every member's name, email, join date, and role - with no credentials or user interaction, exactly as demonstrated in the public PoC. |
| Remediation | No vendor-released patch version is identified in the available data (only advisory and PoC references are provided), so treat the fix version as unconfirmed and verify directly against the FOSSASIA open-event-server repository for a release above 1.19.1 that adds authentication to the followers export path. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: immediately disable or restrict access to the group followers CSV export endpoint at the firewall or application layer, and require authentication on all export functions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45202
GHSA-ggm5-8rm7-3jgc