Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Summary
| CVE | CVE-2026-34020 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-09 16:16:27 UTC |
| Updated | 2026-04-09 17:16:25 UTC |
| Description | Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings. The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. |
Risk And Classification
Problem Types: CWE-598 | CWE-598 CWE-598 Use of GET Request Method With Sensitive Query Strings
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache OpenMeetings | affected 3.1.3 9.0.0 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| owasp.org/www-community/vulnerabilities/Information_exposure_through_qu... | [email protected] | owasp.org | |
| lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db | [email protected] | lists.apache.org | |
| www.openwall.com/lists/oss-security/2026/04/09/12 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: 4ra2n (A code security AI agent) (en)
There are currently no legacy QID mappings associated with this CVE.