CVE-2026-33005
Apache OpenMeetings: Insufficient checks in FileWebService
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
3th
Improper Handling of Insufficient Privileges vulnerability in Apache OpenMeetings. Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields get be checked at FileItemDTO object. This issue affects Apache OpenMeetings: from 3.10 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
| CWE | CWE-274 |
| Vendor | apache software foundation |
| Product | apache openmeetings |
| Published | Apr 9, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache openmeetings
Be the first to know when new medium vulnerabilities affecting apache software foundation apache openmeetings are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
Apache Software Foundation / Apache OpenMeetings
3.1.0 < 9.0.0
References
openmeetings.apache.org: https://openmeetings.apache.org/openmeetings-db/apidocs/org.apache.openmeetings.db/org/apache/openmeetings/db/dto/file/FileItemDTO.html lists.apache.org: https://lists.apache.org/thread/pttoprd628g3xr6lpp3bm1z8m3z8t4p7 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/09/10
Credits
4ra2n (A code security AI agent)