Apache OpenMeetings: allows bypass authentication
Description
An attacker that has gained access to certain private information can use this to act as other user.
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings from 3.1.3 before 7.1.0
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache OpenMeetings before 7.1.0, an attacker with certain private information can impersonate other users.
Root
Cause CVE-2023-29032 describes an authentication bypass vulnerability in Apache OpenMeetings versions 3.1.3 up to (but not including) 7.1.0. The vendor advisory [1] indicates that the issue involves incorrect permission handling during invitation hash checks, as noted in the 7.1.0 release notes: "Invitation hash check made strict" and "Set of user permissions is fixed." This is confirmed by the related JIRA issue [3] which describes permissions being incorrectly set, leading to the ability for an attacker to act as another user once certain private information is obtained.
Exploitation
An attacker who has already gained access to private information (e.g., through a prior compromise or data leak) can exploit this flaw to impersonate other users. The attack surface is the invitation mechanism and permission assignment logic. No additional authentication is required beyond the already-obtained private data [1][2].
Impact
Successful exploitation allows the attacker to perform actions with the privileges of the targeted user. This could include accessing restricted rooms, messages, recordings, or other user-specific data within the OpenMeetings application. The vulnerability has a potentially broad impact on confidentiality and integrity.
Mitigation
The vulnerability is fixed in Apache OpenMeetings version 7.1.0 and later. The fix includes stricter invitation hash verification and corrected user permission assignment [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.openmeetings:openmeetings-parentMaven | >= 3.1.3, < 7.1.0 | 7.1.0 |
Affected products
2- Apache Software Foundation/Apache OpenMeetingsv5Range: 3.1.3
Patches
14e89e0ca076c[OPENMEETINGS-2764] permissions being set as expected
4 files changed · +28 −25
openmeetings-server/src/site/xdoc/ReleaseGuide.xml+5 −0 modified@@ -133,6 +133,11 @@ SET https://github.com/apache/openmeetings/tree/5.0.1 ]]></source> </li> + <li>Add timestamp to parent pom (properties section) + <source> + <project.build.outputTimestamp>YEAR-MONTH-DAY_OF_MONTHT00:00:00Z</project.build.outputTimestamp> + </source> + </li> <li> Create a TAG and commit it to the Git<br/> <source>
openmeetings-web/src/main/java/org/apache/openmeetings/web/app/WebSession.java+1 −1 modified@@ -341,7 +341,7 @@ public boolean signIn(String secureHash, boolean markUsed) { private void setUser(User u, Set<Right> rights) { changeSessionId(); // required to prevent session fixation userId = u.getId(); - if (rights == null || rights.isEmpty()) { + if (rights == null) { Set<Right> r = new HashSet<>(u.getRights()); if (u.getGroupUsers() != null && !AuthLevelUtil.hasAdminLevel(r)) { for (GroupUser gu : u.getGroupUsers()) {
openmeetings-web/src/main/java/org/apache/openmeetings/web/pages/HashPage.java+22 −22 modified@@ -68,11 +68,11 @@ public class HashPage extends BaseInitedPage implements IUpdatable { static final String HASH = "secure"; static final String LANG = "language"; private final WebMarkupContainer recContainer = new WebMarkupContainer(PANEL_RECORDING); - private final VideoInfo vi = new VideoInfo("info"); - private final VideoPlayer vp = new VideoPlayer("player"); + private final VideoInfo videoInfo = new VideoInfo("info"); + private final VideoPlayer videoPlayer = new VideoPlayer("player"); private boolean error = true; - private MainPanel mp = null; - private RoomPanel rp = null; + private MainPanel mainPanel = null; + private RoomPanel roomPanel = null; private final PageParameters p; @SpringBean @@ -91,9 +91,9 @@ private void createRoom(Long roomId) { Room room = roomDao.get(roomId); if (room != null && !room.isDeleted()) { error = false; - rp = new RoomPanel(CHILD_ID, room); - mp = new MainPanel(PANEL_MAIN, rp); - replace(mp); + roomPanel = new RoomPanel(CHILD_ID, room); + mainPanel = new MainPanel(PANEL_MAIN, roomPanel); + replace(mainPanel); } } @@ -128,21 +128,21 @@ protected void onInitialize() { } else { Recording rec = i.getRecording(); if (rec != null) { - vi.setVisible(!i.isPasswordProtected()); - vp.setVisible(!i.isPasswordProtected()); + videoInfo.setVisible(!i.isPasswordProtected()); + videoPlayer.setVisible(!i.isPasswordProtected()); if (!i.isPasswordProtected()) { - vi.update(null, rec); - vp.update(null, rec); + videoInfo.update(null, rec); + videoPlayer.update(null, rec); } recContainer.setVisible(true); error = false; } Room r = i.getRoom(); if (r != null && !r.isDeleted()) { createRoom(r.getId()); - if (i.isPasswordProtected() && rp != null) { - mp.getChat().setVisible(false); - rp.setOutputMarkupPlaceholderTag(true).setVisible(false); + if (i.isPasswordProtected() && roomPanel != null) { + mainPanel.getChat().setVisible(false); + roomPanel.setOutputMarkupPlaceholderTag(true).setVisible(false); } } } @@ -153,8 +153,8 @@ protected void onInitialize() { } else if (recId != null) { recContainer.setVisible(true); Recording rec = recDao.get(recId); - vi.update(null, rec); - vp.update(null, rec); + videoInfo.update(null, rec); + videoPlayer.update(null, rec); error = false; } else { createRoom(roomId); @@ -197,8 +197,8 @@ protected IWsClient getWsClient() { error = false; } } - add(recContainer.add(vi.setOutputMarkupPlaceholderTag(true), - vp.setOutputMarkupPlaceholderTag(true)), new InvitationPasswordDialog("i-pass", this)); + add(recContainer.add(videoInfo.setOutputMarkupPlaceholderTag(true), + videoPlayer.setOutputMarkupPlaceholderTag(true)), new InvitationPasswordDialog("i-pass", this)); remove(urlParametersReceivingBehavior); add(new IconTextModal("access-denied") .withLabel(errorMsg) @@ -217,11 +217,11 @@ protected void onParameterArrival(IRequestParameters requestParameters, AjaxRequ @Override public void update(AjaxRequestTarget target) { Invitation i = WebSession.get().getInvitation(); - if (i.getRoom() != null && rp != null) { - rp.show(target); + if (i.getRoom() != null && roomPanel != null) { + roomPanel.show(target); } else if (i.getRecording() != null) { - target.add(vi.update(target, i.getRecording()).setVisible(true) - , vp.update(target, i.getRecording()).setVisible(true)); + target.add(videoInfo.update(target, i.getRecording()).setVisible(true) + , videoPlayer.update(target, i.getRecording()).setVisible(true)); } } }
pom.xml+0 −2 modified@@ -1190,7 +1190,6 @@ <configuration> <source>${jdk.version}</source> <target>${jdk.version}</target> - <optimize>true</optimize> <debug>true</debug> <encoding>UTF-8</encoding> </configuration> @@ -1247,7 +1246,6 @@ </module> </checkstyleRules> <includeTestSourceDirectory>true</includeTestSourceDirectory> - <encoding>UTF-8</encoding> <consoleOutput>true</consoleOutput> <failsOnError>true</failsOnError> <excludes>**/module-info.java</excludes>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v9rm-7rv9-r3fwghsaADVISORY
- lists.apache.org/thread/j2d6mg3rzcphfd8vvvk09d8p4o9lvnqpghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-29032ghsaADVISORY
- github.com/apache/openmeetings/commit/4e89e0ca076c83f26562f1146cf3e81ba0b16a7fghsaWEB
- issues.apache.org/jira/browse/OPENMEETINGS-2764ghsaWEB
News mentions
0No linked articles in our index yet.