CVE-2026-34020
HIGHApache OpenMeetings: Login Credentials Passed via GET Query Parameters
Title source: cnaDescription
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
References (3)
Core 3
Core References
Related related
https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url
Vendor Advisory vendor-advisory
https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db
Scores
CVSS v3
7.5
EPSS
0.0051
EPSS Percentile
39.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-598
Status
published
Products (3)
apache/openmeetings
3.1.3 - 9.0.0
Apache Software Foundation/Apache OpenMeetings
3.1.3 - 9.0.0
org.apache.openmeetings/openmeetings-parent
3.1.3 - 9.0.0Maven
Published
Apr 09, 2026
Tracked Since
Apr 09, 2026