Apache OpenMeetings GET Params Login Exposure Before 9.0.0
CVE-2026-34020 Published on April 9, 2026
Apache OpenMeetings: Login Credentials Passed via GET Query Parameters
Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Vulnerability Analysis
CVE-2026-34020 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that requests. The query string can be saved in the browser's history, passed through Referers to other web sites, stored in web logs, or otherwise recorded in other sources. If the query string contains sensitive information such as session identifiers, then attackers can use this information to launch further attacks.
Products Associated with CVE-2026-34020
Want to know whenever a new CVE is published for Apache Openmeetings? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache OpenMeetings:- Version 3.1.3 and below 9.0.0 is affected.