Triple Security Advisory Prompts Immediate Upgrade to Apache OpenMeetings Version 9.0.0
Ddos 
Apache OpenMeetings, the open-source suite providing video conferencing, instant messaging, and collaborative document editing, is facing a series of security disclosures that highlight risks to user data and credential security. Developers have released version 9.0.0 to address three distinct vulnerabilities ranging from sensitive metadata exposure to the use of hard-coded cryptographic keys.
The first vulnerability, tracked as CVE-2026-33005, involves the FileWebService component and centers on an “Improper Handling of Insufficient Privileges vulnerability”. Rated with a moderate severity, this flaw allows an attacker who is already a registered user on the platform to overstep their intended access boundaries.
According to the advisory, “Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID”. While the exploit does not allow the attacker to download the actual contents of the files, it grants access to sensitive metadata, including “id, type, name and some other field”.
The most severe of the three disclosures, tracked as CVE-2026-33266, carries an important severity rating due to its potential for full credential theft. The issue stems from the use of a “Hard-coded Cryptographic Key vulnerability” within the platform’s “remember-me” cookie system.
Security researchers found that the “remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated”. This creates a critical risk for administrators who have not manually changed this default setting. If a default key is in use, “an attacker who has stolen a cookie from a logged-in user can get full user credentials”.
The final vulnerability, CVE-2026-34020, involves a “Use of GET Request Method With Sensitive Query Strings vulnerability”. This flaw, also rated as moderate severity, affects how the platform handles REST-based logins.
Technical analysis reveals that the “REST login endpoint uses HTTP GET method with username and password passed as query parameters”. This is a significant security concern because sensitive credentials passed in GET parameters often remain visible in browser history, server logs, and network monitoring tools, making them vulnerable to interception or accidental exposure.
The Apache OpenMeetings team has addressed all three vulnerabilities in the latest release.
- Affected Versions: These flaws affect various versions starting from 3.1.0 (for file checks) , 3.1.3 (for GET parameters), and 6.1.0 (for hard-coded keys).
- The Solution: Users across all impacted versions are “strongly recommended to upgrade to version 9.0.0“, which provides the necessary patches to fix these issues.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
