Description
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact


This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Published: 2026-04-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises because the REST login endpoint in Apache OpenMeetings accepts user credentials via an HTTP GET request, embedding the username and password as query string parameters. This practice exposes sensitive information in URLs that can be logged by web servers, proxies, and client browsers. Attackers who gain access to logs or observe network traffic could capture these credentials, leading to unauthorized access to the meeting platform. The issue is classified as CWE‑598, an information‑exposure weakness.

Affected Systems

Apache OpenMeetings distributed by the Apache Software Foundation. The flaw affects all releases from 3.1.3 through the latest 8.x series, up to, but excluding, version 9.0.0. Users running any of these versions should review the application configuration and consider upgrading.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score is below 1 %, suggesting that this vulnerability is unlikely to be actively exploited in the wild, and it is not listed in the CISA KEV catalog. However, because credentials are transmitted in cleartext URLs, a remote attacker who can intercept or read server or proxy logs can obtain the login details. The likely attack vector is a remote, unauthenticated user accessing logs or tampering with network traffic.

Generated by OpenCVE AI on April 10, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apache OpenMeetings to version 9.0.0 or later, which eliminates the vulnerable GET login endpoint.
  • If an upgrade cannot be performed immediately, configure web servers to suppress logging of URL query strings containing credentials and monitor logs for exposed credentials.
  • If credentials may have been exposed, rotate affected passwords and verify that compromised sessions are terminated.

Generated by OpenCVE AI on April 10, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gcvm-c75m-h4p4 Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings
History

Wed, 15 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*

Fri, 10 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache openmeetings
Vendors & Products Apache
Apache openmeetings

Thu, 09 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
References

Thu, 09 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Title Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Weaknesses CWE-598
References

Subscriptions

Apache Openmeetings
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-10T20:13:47.789Z

Reserved: 2026-03-25T09:32:35.406Z

Link: CVE-2026-34020

cve-icon Vulnrichment

Updated: 2026-04-09T16:29:22.642Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T16:16:27.090

Modified: 2026-04-15T15:21:20.030

Link: CVE-2026-34020

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:53Z

Weaknesses