← Retour aux CVEs

CVE-2026-25519

HIGH

8.1

Description

OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.

Details CVE

Score CVSS v3.18.1

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteHIGH

Privileges requisNONE

Interaction utilisateurNONE

Publie2/4/2026

Derniere modification2/18/2026

Sourcenvd

Observations honeypot0

Produits affectes

openslides:openslides

Faiblesses (CWE)

CWE-284

References

https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29(security-advisories@github.com)

https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c(security-advisories@github.com)

https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee(security-advisories@github.com)

https://github.com/OpenSlides/openslides-auth-service/pull/889(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.