Missing Authentication Vulnerability in Open Event Server by Open Event
CVE-2026-63101
Key Information:
- Vendor
Fossasia
- Status
- Vendor
- CVE Published:
- 17 July 2026
Badges
What is CVE-2026-63101?
Open Event Server versions up to 1.19.1 are susceptible to a missing authentication flaw which permits unauthorized access to sensitive user information. This vulnerability enables attackers to export the complete member roster of any group via the CSV export endpoint without needing to authenticate. By exploiting this vulnerability, malicious actors can utilize brute-force techniques to enumerate group IDs, execute an unauthorized export request, and subsequently retrieve the member data, including email addresses and roles, through an unauthenticated task status check. This poses a significant risk for user privacy and data protection.
Affected Version(s)
open-event-server 0 <= 1.19.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
