CVE-2026-34020

{"id": "CVE-2026-34020", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-04-09T16:16:27.090", "references": [{"url": "https://lists.apache.org/thread/2h3h9do5tp17xldr0nps1yjmkx4vs3db", "tags": ["Vendor Advisory", "Mailing List"], "source": "security@apache.org"}, {"url": "https://owasp.org/www-community/vulnerabilities/Information_exposure_through_query_strings_in_url", "tags": ["Not Applicable"], "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2026/04/09/12", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-598"}]}], "descriptions": [{"lang": "en", "value": "Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.\n\nThe REST login endpoint uses HTTP GET method with username and password passed as query parameters.\u00a0Please check references regarding possible impact\n\n\nThis issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue."}], "lastModified": "2026-04-15T15:21:20.030", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D575157B-A67F-474D-AD60-56D636F1AF5A", "versionEndExcluding": "9.0.0", "versionStartIncluding": "3.1.3"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}