Vulnerability Description
OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openslides | Openslides | >= 4.2.5, < 4.2.29 |
Related Weaknesses (CWE)
References
- https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29ProductRelease Notes
- https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8cPatchVendor Advisory
- https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec12Patch
- https://github.com/OpenSlides/openslides-auth-service/pull/889Issue Tracking
FAQ
What is CVE-2026-25519?
CVE-2026-25519 is a vulnerability with a CVSS score of 8.1 (HIGH). OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins wit...
How severe is CVE-2026-25519?
CVE-2026-25519 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25519?
Check the references section above for vendor advisories and patch information. Affected products include: Openslides Openslides.