CVE-2026-33005
Medium
Low
Medium
High
Critical
4.3
CVSS Score
Vulnerability Description
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings.
Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object.
This issue affects Apache OpenMeetings: from 3.10 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
N
Attack Complexity
L
Privileges Required
L
User Interaction
N
Scope
U
Confidentiality
L
Integrity
N
Availability
N
Known Affected Software
26 configuration(s) from 1 vendor(s)
openmeetings
Version:
5.0.0
CPE:
cpe:2.3:a:apache:openmeetings:5.0.0:*:*:*:*:*:*:*
openmeetings
Version:
3.1.2
CPE:
cpe:2.3:a:apache:openmeetings:3.1.2:*:*:*:*:*:*:*
openmeetings
Version:
3.2.1
CPE:
cpe:2.3:a:apache:openmeetings:3.2.1:*:*:*:*:*:*:*
openmeetings
Version:
8.0.0
CPE:
cpe:2.3:a:apache:openmeetings:8.0.0:*:*:*:*:*:*:*
openmeetings
Version:
3.1.5
CPE:
cpe:2.3:a:apache:openmeetings:3.1.5:*:*:*:*:*:*:*
openmeetings
Version:
3.1.4
CPE:
cpe:2.3:a:apache:openmeetings:3.1.4:*:*:*:*:*:*:*
openmeetings
Version:
3.1.0
CPE:
cpe:2.3:a:apache:openmeetings:3.1.0:*:*:*:*:*:*:*
openmeetings
Version:
3.3.1
CPE:
cpe:2.3:a:apache:openmeetings:3.3.1:*:*:*:*:*:*:*
openmeetings
Version:
4.0.1
CPE:
cpe:2.3:a:apache:openmeetings:4.0.1:*:*:*:*:*:*:*
openmeetings
Version:
4.0.0
CPE:
cpe:2.3:a:apache:openmeetings:4.0.0:*:*:*:*:*:*:*
openmeetings
Version:
6.1.0
CPE:
cpe:2.3:a:apache:openmeetings:6.1.0:*:*:*:*:*:*:*
openmeetings
Version:
4.0.11
CPE:
cpe:2.3:a:apache:openmeetings:4.0.11:*:*:*:*:*:*:*
openmeetings
Version:
3.3.0
CPE:
cpe:2.3:a:apache:openmeetings:3.3.0:*:*:*:*:*:*:*
openmeetings
Version:
4.0.10
CPE:
cpe:2.3:a:apache:openmeetings:4.0.10:*:*:*:*:*:*:*
openmeetings
Version:
4.0.2
CPE:
cpe:2.3:a:apache:openmeetings:4.0.2:*:*:*:*:*:*:*
openmeetings
Version:
6.3.0
CPE:
cpe:2.3:a:apache:openmeetings:6.3.0:*:*:*:*:*:*:*
openmeetings
Version:
6.0.0
CPE:
cpe:2.3:a:apache:openmeetings:6.0.0:*:*:*:*:*:*:*
openmeetings
Version:
3.1.1
CPE:
cpe:2.3:a:apache:openmeetings:3.1.1:*:*:*:*:*:*:*
openmeetings
Version:
3.3.2
CPE:
cpe:2.3:a:apache:openmeetings:3.3.2:*:*:*:*:*:*:*
openmeetings
Version:
6.2.0
CPE:
cpe:2.3:a:apache:openmeetings:6.2.0:*:*:*:*:*:*:*
openmeetings
Version:
7.0.0
CPE:
cpe:2.3:a:apache:openmeetings:7.0.0:*:*:*:*:*:*:*
openmeetings
Version:
3.2.0
CPE:
cpe:2.3:a:apache:openmeetings:3.2.0:*:*:*:*:*:*:*
openmeetings
Version:
4.0.9
CPE:
cpe:2.3:a:apache:openmeetings:4.0.9:*:*:*:*:*:*:*
openmeetings
Version:
5.0.1
CPE:
cpe:2.3:a:apache:openmeetings:5.0.1:*:*:*:*:*:*:*
openmeetings
Version:
4.0.3
CPE:
cpe:2.3:a:apache:openmeetings:4.0.3:*:*:*:*:*:*:*
openmeetings
Version:
3.1.3
CPE:
cpe:2.3:a:apache:openmeetings:3.1.3:*:*:*:*:*:*:*
This vulnerability affects 26 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7security@apache.org Mailing List Vendor Advisory
-
https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.htmlsecurity@apache.org Product
-
http://www.openwall.com/lists/oss-security/2026/04/09/10af854a3a-2127-422b-91ae-364da2661108 Mailing List Third Party Advisory
Severity Details
4.3
out of 10.0
Medium
Weakness Type (CWE)
CWE-274
Improper Handling of Insufficient Privileges
- Description
- The product does not handle or incorrectly handles when it has insufficient privileges to perform an operation, leading to resultant weaknesses.
- Typical Severity
- Medium
- Abstraction Level
- Base
Key Information
- Published Date
- April 09, 2026
