Description
OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.
Published: 2026-02-04
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via authentication bypass
Action: Patch Now
AI Analysis

Impact

This vulnerability in OpenSlides' authentication service allows attackers to bypass normal login checks for users synchronized from an external SAML identity provider. By entering any SAML user's username into the local login form and using a trivial password that is valid for all such users, an adversary can authenticate as that user without possessing the correct credentials or the IDP token. The flaw is a classic access‑control bypass (CWE‑284) that grants unauthorized access to the full capabilities of the target account, including viewing and casting votes, editing agendas, and other privileged functions within the assembly system.

Affected Systems

The affected product is OpenSlides, a web‑based platform for managing assemblies. All installations running a version earlier than 4.2.29 are vulnerable because the fix was released in the 4.2.29 release. The issue is confined to the authentication module and does not affect other components directly, but any user with SAML credentials can be impersonated.

Risk and Exploitability

The CVSS score of 8.1 classifies the problem as High severity, and the EPSS score of less than 1 % indicates that, as of now, the probability of observed exploitation is low, although the flaw remains publicly documented. The vulnerability is not listed in CISA’s KEV catalog, reducing the likelihood of large‑scale active exploitation, but attackers could still carry out targeted credential‑guessing or social‑engineering strategies to obtain a valid SAML username. The attack capitalizes on the web login interface and requires no special privileges beyond interacting with the public authentication endpoint.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSlides to version 4.2.29 or later to apply the vendor patch that disables the trivial password for SAML users and enforces proper authentication.
  • If an immediate upgrade is not possible, reconfigure the authentication service to disable local logins for users synchronized from an external SAML identity provider until the patch is applied.
  • Continuously monitor authentication logs for any successful local login attempts using SAML usernames and verify that these are blocked following remediation.

Generated by OpenCVE AI on April 17, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openslides:openslides:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Openslides
Openslides openslides
Vendors & Products Openslides
Openslides openslides

Wed, 04 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.
Title OpenSlides has incorrect access control vulnerability in authentication service
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openslides Openslides
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-04T21:09:45.826Z

Reserved: 2026-02-02T18:21:42.487Z

Link: CVE-2026-25519

cve-icon Vulnrichment

Updated: 2026-02-04T21:09:40.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T21:16:02.693

Modified: 2026-02-18T20:56:13.657

Link: CVE-2026-25519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses