CVE-2026-25519

8.1 HIGH
Published: February 04, 2026 Modified: February 18, 2026
View on NVD

Description

OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29
Source: security-advisories@github.com
Product Release Notes
https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c
Source: security-advisories@github.com
Patch Vendor Advisory
https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee
Source: security-advisories@github.com
Patch
https://github.com/OpenSlides/openslides-auth-service/pull/889
Source: security-advisories@github.com
Issue Tracking

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.0%
5th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-284

Affected Vendors

openslides

Related CVEs

CVE-2026-4552 8.8
CVE-2026-4551 8.8
CVE-2026-4550 4.7
CVE-2026-4549 3.1
CVE-2026-4548 6.3