GHSA-gcvm-c75m-h4p4

Source

https://github.com/advisories/GHSA-gcvm-c75m-h4p4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gcvm-c75m-h4p4

Aliases

CVE-2026-34020

Published

2026-04-09T18:31:27Z

Modified

2026-04-10T21:51:08.697497Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings

Details

Use of GET Request Method With Sensitive Query Strings vulnerability in Apache OpenMeetings.

The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact

This issue affects Apache OpenMeetings: from 3.1.3 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Database specific

{
    "nvd_published_at": "2026-04-09T16:16:27Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-598"
    ],
    "github_reviewed_at": "2026-04-10T21:24:43Z"
}

References

Affected packages

Maven / org.apache.openmeetings:openmeetings-parent

Package

Name: org.apache.openmeetings:openmeetings-parent; View open source insights on deps.dev
Purl: pkg:maven/org.apache.openmeetings/openmeetings-parent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.3

Fixed

9.0.0

Affected versions

3.*

3.1.3

3.1.4

3.1.5

3.2.0

3.2.1

3.3.0

3.3.1

3.3.2

4.*

4.0.0

4.0.1

4.0.3

4.0.4

4.0.5

4.0.6

4.0.7

4.0.9

4.0.10

4.0.11

5.*

5.0.0-M1

5.0.0-M2

5.0.0-M3

5.0.0-M4

5.0.0

5.1.0

6.*

6.2.0

6.3.0

7.*

7.0.0

7.2.0

8.*

8.0.0

8.1.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-gcvm-c75m-h4p4/GHSA-gcvm-c75m-h4p4.json"