CVE-2026-63101
Open Event Server 1.19.1 Unauthenticated Member Roster Export via CSV Export Endpoint
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.
| CWE | CWE-306 |
| Vendor | fossasia |
| Product | open-event-server |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for fossasia open-event-server
Be the first to know when new high vulnerabilities affecting fossasia open-event-server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
fossasia / open-event-server
0 โค 1.19.1
References
Credits
George Chen