CVE-2026-49488
Apache OpenMeetings: Arbitrary File Read
CVSS Score
6.5
EPSS Score
0.7%
EPSS Percentile
50th
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OpenMeetings. This issue affects Apache OpenMeetings: from 5.0.0 before 9.1.0. An attacker with moderator rights in any room can read arbitrary files accessible to the OS account running the OM server, including credentials and secrets, via a crafted download request. Users are recommended to upgrade to version 9.1.0, which fixes the issue.
| CWE | CWE-22 |
| Vendor | apache software foundation |
| Product | apache openmeetings |
| Published | Jul 14, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for apache software foundation apache openmeetings
Be the first to know when new medium vulnerabilities affecting apache software foundation apache openmeetings are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Apache Software Foundation / Apache OpenMeetings
5.0.0 < 9.1.0
References
Credits
follycat and Y0n3er