Apache OpenMeetings: allows user impersonation
Description
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 2.0.0 before 7.0.0
Description: Attacker can elevate their privileges in any room
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache OpenMeetings before 7.0.0, an attacker in any room can elevate their privileges due to missing access control checks.
Vulnerability
Overview
CVE-2023-28326 is a privilege escalation vulnerability in Apache OpenMeetings versions 2.0.0 up to (but not including) 7.0.0. The root cause lies in insufficient access control checks when processing room invitations or related actions, allowing an attacker to elevate their privileges within any room. The official description states simply that an attacker 'can elevate their privileges in any room.'
Attack
Surface and Prerequisites
An attacker must already have some level of access to a room. No additional authentication is necessary beyond being a participant. The vulnerability is triggered by manipulating room invitations or related functionality; the patch shown in commit [3] restricts generation of invitation URLs to only contacts, preventing unauthorized privilege escalation via the invitation system.
Impact
A successful exploit allows an attacker to gain elevated privileges (e.g., moderator or presenter rights) in any room they are in. This can lead to further compromise of room content, user data, or disruptions to meetings.
Mitigation
The vulnerability is fixed in Apache OpenMeetings 7.0.0 [1]. Users are strongly advised to upgrade to 7.0.0 or later. The patch [3] specifically addresses the issue by disabling URL generation when the recipient is not a contact. There are no known workarounds.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.openmeetings:openmeetings-parentMaven | >= 2.0.0, < 7.0.0 | 7.0.0 |
Affected products
2- Apache Software Foundation/Apache OpenMeetingsv5Range: 2.0.0
Patches
11fb71af36[OPENMEETINGS-2739] generate URL is disabled if non-contact is selected
1 file changed · +6 −1
openmeetings-web/src/main/java/org/apache/openmeetings/web/common/InvitationForm.java+6 −1 modified@@ -150,9 +150,14 @@ protected void onUpdate(AjaxRequestTarget target) { protected void updateButtons(AjaxRequestTarget target) { Collection<User> recpnts = recipients.getModelObject(); + boolean generateEnabled = false; + if (recpnts.size() == 1) { + User u = recpnts.iterator().next(); + generateEnabled = getUserId().equals(u.getId()) || User.Type.CONTACT == u.getType(); + } target.add( dialog.getSend().setEnabled(!recpnts.isEmpty()) - , dialog.getGenerate().setEnabled(recpnts.size() == 1) + , dialog.getGenerate().setEnabled(generateEnabled) ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-3r48-3m8r-4r9wghsaADVISORY
- lists.apache.org/thread/r9vn12dp5yofn1h3wd5x4h7c3vmmr5d9ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-28326ghsaADVISORY
- github.com/apache/openmeetings/commit/1fb71af36ghsaWEB
News mentions
0No linked articles in our index yet.