Platform
java
Component
org.apache.openmeetings:openmeetings-parent
Fixed in
9.0.0
9.0.0
CVE-2026-33005 describes an information disclosure vulnerability within Apache OpenMeetings. An authenticated attacker can leverage this flaw to query web services and retrieve metadata (ID, type, name, and other fields) of files and sub-folders within any folder by its ID. This vulnerability impacts versions of Apache OpenMeetings from 3.10 up to and including 8.1.0. The issue is resolved by upgrading to version 9.0.0.
This vulnerability allows an attacker with valid credentials to enumerate file and folder structures within an Apache OpenMeetings instance. While the vulnerability only exposes metadata and not the file contents themselves, this information can still be valuable for reconnaissance and potential future attacks. Attackers could use this to map out the system's file organization, identify potential targets for further exploitation, or gather information for social engineering attacks. The potential blast radius is limited to the data accessible through the metadata, but the exposure of folder structures can reveal sensitive information about the system's configuration and data storage practices.
This CVE was publicly disclosed on 2026-04-09. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept exploits are not currently available, but the vulnerability's ease of exploitation suggests that a PoC could emerge. The vulnerability's impact is relatively low due to the metadata-only exposure, but the potential for reconnaissance makes it a worthwhile target for attackers.
Exploit Status
EPSS
0.11% (30% percentile)
CVSS Vector
The primary mitigation for CVE-2026-33005 is to upgrade Apache OpenMeetings to version 9.0.0 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing stricter access controls to limit which users can access the web service endpoints. While not a direct fix, reviewing and restricting user permissions can reduce the potential impact of this vulnerability. There are no specific WAF rules or detection signatures readily available for this specific metadata exposure, but monitoring web service access logs for unusual query patterns could help detect potential exploitation attempts. After upgrading, confirm the fix by attempting to query the web service with a user account and verifying that metadata retrieval is restricted.
Update Apache OpenMeetings to version 9.0.0 or higher to mitigate the vulnerability. This update corrects the lack of privilege checks in the file web service, preventing unauthorized users from accessing file metadata.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33005 is an information disclosure vulnerability in Apache OpenMeetings versions up to 8.1.0, allowing authenticated users to retrieve metadata of files and folders.
You are affected if you are running Apache OpenMeetings versions 3.10 through 8.1.0. Upgrade to version 9.0.0 to mitigate this vulnerability.
Upgrade Apache OpenMeetings to version 9.0.0 or later. Consider implementing stricter access controls as an interim measure.
There is currently no evidence of active exploitation, but the ease of exploitation suggests a potential for future attacks.
Refer to the Apache OpenMeetings security advisories page for the latest information: https://openmeetings.apache.org/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.