๐Ÿ” CVE Alert

CVE-2026-63101

HIGH 7.5

Open Event Server 1.19.1 Unauthenticated Member Roster Export via CSV Export Endpoint

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.

CWE CWE-306
Vendor fossasia
Product open-event-server
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for fossasia open-event-server

Be the first to know when new high vulnerabilities affecting fossasia open-event-server are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

fossasia / open-event-server
0 โ‰ค 1.19.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/geo-chen/oss/blob/main/open-event-server.md vulncheck.com: https://www.vulncheck.com/advisories/open-event-server-unauthenticated-member-roster-export-via-csv-export-endpoint

Credits

George Chen