CVE-2026-34020

HIGH

Apache OpenMeetings: Login Credentials Passed via GET Query Parameters

Title source: cna

Description

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

References (3)

[Vendor Advisory] https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db

[Mailing List] http://www.openwall.com/lists/oss-security/2026/04/09/12

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 23.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-598

Status published

Products (3)

apache/openmeetings 3.1.3 - 9.0.0

Apache Software Foundation/Apache OpenMeetings 3.1.3 - 9.0.0

org.apache.openmeetings/openmeetings-parent 3.1.3 - 9.0.0Maven

Published Apr 09, 2026

Tracked Since Apr 09, 2026