Vulnerability Description
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Openmeetings | >= 3.1.0, < 9.0.0 |
Related Weaknesses (CWE)
References
- https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7Mailing ListVendor Advisory
- https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.Product
- http://www.openwall.com/lists/oss-security/2026/04/09/10Mailing ListThird Party Advisory
FAQ
What is CVE-2026-33005?
CVE-2026-33005 is a vulnerability with a CVSS score of 4.3 (MEDIUM). Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (meta...
How severe is CVE-2026-33005?
CVE-2026-33005 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33005?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Openmeetings.