CVE-2026-33005Improper Handling of Insufficient Privileges in Software Foundation Apache Openmeetings

CWE-274Improper Handling of Insufficient Privileges5 documents5 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 69.92%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Software Foundation Apache Openmeetings
Timeline
PublishedApr 9

Description

Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

4
GHSA
GHSA-78cg-fc6c-w44w: Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings2026-04-09
CVEList
Apache OpenMeetings: Insufficient checks in FileWebService2026-04-09
VulDB
Apache OpenMeetings up to 8.x FileWebService insufficient permissions or privileges2026-04-09
GHSA
Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability2026-04-09
CVE-2026-33005 — MEDIUM severity | cvebase