CVE-2026-25519 in OpenSlides
Summary
by MITRE • 02/04/2026
OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-25519 affects OpenSlides, a widely used web-based presentation and assembly system designed for managing agendas, motions, and elections in organizational meetings. This system serves as a critical tool for democratic processes in various institutions including political parties, unions, and civic organizations, making the security implications particularly significant. The flaw exists in versions prior to 4.2.29 and represents a serious access control weakness that undermines the security model of the application's user authentication system. OpenSlides supports both traditional local authentication with username and password combinations as well as SAML-based single sign-on integration with external identity providers, creating a complex authentication environment that this vulnerability exploits.
The technical flaw manifests in an incorrect access control implementation specifically targeting users who are synchronized from external identity providers through SAML integration. When users are provisioned into OpenSlides via SAML from an external identity provider, the system fails to properly enforce authentication boundaries between these external users and the local authentication system. This misconfiguration allows any authenticated user to bypass the intended SAML authentication process and gain access to any SAML user account by simply using that user's OpenSlides username along with a trivial password that is universally valid across all SAML accounts. This represents a fundamental breakdown in the principle of least privilege and demonstrates a classic authorization flaw that falls under CWE-285, which addresses improper access control mechanisms.
The operational impact of this vulnerability is severe and multifaceted, creating potential for unauthorized access to sensitive organizational data and system functionality. Attackers can exploit this weakness to impersonate any SAML user within the system, potentially gaining access to confidential information, voting records, motion proposals, and other assembly-related data that these users might have legitimate access to. The vulnerability effectively nullifies the security benefits of SAML integration since the trivial password serves as a universal key that can unlock any SAML user account. This creates a significant risk for organizations relying on OpenSlides for sensitive democratic processes, as it could enable unauthorized individuals to manipulate assembly outcomes, view confidential communications, or disrupt organizational proceedings. The vulnerability also creates potential for privilege escalation attacks where malicious actors could gain access to administrative functions if they can identify the usernames of users with elevated privileges.
The security implications extend beyond simple unauthorized access to encompass broader concerns about data integrity and system trust. Organizations using OpenSlides for critical assembly functions such as voting, motion management, and agenda control face the risk of election manipulation or data corruption through this vulnerability. The flaw creates a persistent backdoor that remains active until the system is updated to version 4.2.29, which properly addresses the access control issue. This vulnerability aligns with ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate authentication mechanisms. The patch implemented in version 4.2.29 corrects the authentication flow to ensure that SAML-synced users cannot be accessed through local login mechanisms, enforcing proper separation between authentication methods and preventing the universal password exploit. Organizations should immediately update to the patched version and consider implementing additional monitoring to detect potential exploitation attempts, while also reviewing their user provisioning processes to ensure proper segregation between local and external authentication mechanisms.