CVE-2026-63101 in open-event-serverinfo

Summary

by MITRE • 07/17/2026

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability represents a critical authentication bypass issue in Open Event Server versions up to 1.19.1 that exposes sensitive user data through improperly protected endpoints. The flaw resides in the group followers CSV export functionality where the system fails to implement proper authentication checks, allowing any remote attacker to access member rosters without valid credentials. The vulnerability specifically affects the CSV export endpoint which should require authenticated access but instead accepts requests from unauthenticated users, creating a significant data exposure risk.

The technical implementation of this vulnerability stems from missing authentication decorators on critical endpoints within the application's security architecture. Attackers can exploit this by first enumerating group identifiers through brute-force techniques to discover valid group IDs, then submitting POST requests to the unauthenticated export endpoint to initiate CSV generation processes. The system lacks any form of access control validation at the endpoint level, meaning that any user can trigger the export functionality regardless of their authentication status or role within the application.

The operational impact of this vulnerability extends beyond simple data exposure to encompass potential identity theft, social engineering attacks, and privacy violations. When attackers successfully exploit this vulnerability, they gain access to comprehensive member information including email addresses, personal names, join dates, and user roles for any group within the system. This data can be used for targeted phishing campaigns, credential stuffing attacks, or other malicious activities that leverage personally identifiable information. The automated nature of the exploitation process through task polling and download URL retrieval makes this vulnerability particularly dangerous as it enables rapid data extraction at scale.

Security professionals should note this vulnerability aligns with CWE-668 (Exposure of Resource to Wrong Sphere) and represents a classic case of insufficient authentication controls that violates fundamental security principles. The attack pattern follows established methodologies from the MITRE ATT&CK framework, specifically mapping to techniques involving credential access and data exfiltration through unauthenticated API endpoints. Organizations using Open Event Server should immediately implement authentication decorators on all export endpoints, implement rate limiting to prevent brute-force enumeration, and consider implementing additional access controls based on user roles and group membership permissions.

The remediation approach requires immediate patching of the authentication logic in the affected versions, ensuring that all data export functions require proper authentication tokens or session validation before execution. Additional defensive measures should include implementing robust input validation for group ID parameters, adding monitoring for unusual export request patterns, and establishing automated alerts for unauthorized access attempts to sensitive data endpoints. Organizations should also conduct comprehensive security assessments of their API endpoints to identify similar authentication gaps that may exist in other parts of their applications, as this vulnerability demonstrates a systemic failure in access control implementation across multiple functionality areas.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!