CVE-2026-25519
Published: 04 February 2026
Summary
CVE-2026-25519 is a high-severity Improper Access Control (CWE-284) vulnerability in Openslides Openslides. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access control policies, directly preventing unauthorized local logins for SAML-synced users via improper access enforcement.
Manages authenticators to prohibit weak, trivial, or shared passwords that enable authentication bypass for SAML users on the local login form.
Provides robust organizational user identification and authentication, mitigating flaws in local login mechanisms for externally synced SAML users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln is auth bypass in public web app (OpenSlides) allowing remote login as any SAML-synced user via local form + universal trivial password; directly enables T1190 (exploit public-facing app) for initial access and T1078 (valid accounts) to authenticate with known usernames.
NVD Description
OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on…
more
with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29.
Deeper analysisAI
CVE-2026-25519 is an improper access control vulnerability (CWE-284) in OpenSlides, a free web-based presentation and assembly system for managing agendas, motions, and elections. Prior to version 4.2.29, OpenSlides allows local logins with usernames and passwords or optional SAML single sign-on via an external identity provider. For users synchronized from an external IDP, the system fails to properly restrict local logins, enabling authentication with the OpenSlides username of any SAML user paired with a trivial password that is valid across all such users. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers without privileges can exploit this issue over the network by submitting credentials via the local login form, using any known SAML-synced username and the universal trivial password. Successful exploitation grants attacker access equivalent to the targeted SAML user's privileges, potentially allowing unauthorized viewing, modification, or disruption of assembly data, agendas, motions, and elections depending on the user's role.
The issue was addressed in OpenSlides version 4.2.29, as detailed in the project's release notes, security advisory GHSA-vv4h-8wfc-pf8c, and related changes in the openslides-auth-service repository, including commit 70c1aa9f5e1db59ec120ecce98d1c1169350a4ee and pull request 889. Security practitioners should upgrade to 4.2.29 or later and review configurations for SAML-synced users to ensure local login restrictions are enforced.
Details
- CWE(s)