Severity: critical 

Affected versions:

- Apache OpenMeetings 5.0.0 before 9.1.0

Description:

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 
vulnerability in Apache OpenMeetings.

This issue affects Apache OpenMeetings: from 5.0.0 before 9.1.0.
An attacker with moderator rights in any room can read arbitrary files 
accessible to the OS account running the OM server, including credentials and 
secrets, via a crafted download request.

Users are recommended to upgrade to version 9.1.0, which fixes the issue.

This issue is being tracked as OPENMEETINGS-2821 

Credit:

follycat and Y0n3er (finder)

References:

https://openmeetings.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-49488
https://issues.apache.org/jira/browse/OPENMEETINGS-2821

Reply via email to