<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Open Event - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/open-event/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 17 Jul 2026 17:23:59 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/open-event/feed.xml" rel="self" type="application/rss+xml"/><item><title>Open Event Server Authentication Bypass for Member Roster Export (CVE-2026-63101)</title><link>https://feed.craftedsignal.io/briefs/2026-07-open-event-server-auth-bypass/</link><pubDate>Fri, 17 Jul 2026 17:23:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-open-event-server-auth-bypass/</guid><description>An authentication bypass vulnerability, CVE-2026-63101, in Open Event Server through version 1.19.1 allows unauthenticated attackers to export the complete member roster of any group by exploiting unauthenticated CSV export and task status endpoints, leading to the exfiltration of sensitive data like email addresses, names, and roles.</description><content:encoded><![CDATA[<p>CVE-2026-63101 affects Open Event Server up to and including version 1.19.1, presenting a critical missing authentication vulnerability. This flaw enables unauthenticated attackers to bypass security controls and export the complete member roster of any group. The attack leverages specific API endpoints that lack proper authentication decorators, allowing unauthorized access to sensitive user data such as email addresses, names, join dates, and roles. Attackers can programmatically discover group IDs, trigger the export process, and retrieve the resulting CSV file containing the full member details. This vulnerability poses a significant risk of data exfiltration and privacy breaches for organizations utilizing affected versions of Open Event Server.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies an instance of Open Event Server.</li>
<li>Attacker enumerates sequential group IDs, potentially by brute-forcing numerical IDs for target organizations.</li>
<li>Attacker crafts and sends an unauthenticated HTTP POST request to the <code>/api/groups/{groupID}/followers/export_csv</code> endpoint, specifying a known or enumerated <code>groupID</code>.</li>
<li>The vulnerable Open Event Server processes the unauthenticated request, initiating a CSV export task for the specified group's member roster.</li>
<li>Attacker polls an unauthenticated task status endpoint (e.g., <code>/api/export_tasks/{taskID}/status</code>) using the <code>taskID</code> received from the previous export request, to monitor the completion status of the export job.</li>
<li>Once the export task is completed, the task status response provides a download URL for the generated CSV file.</li>
<li>Attacker accesses the provided download URL to retrieve the CSV file, which contains the complete member roster including email addresses, names, join dates, and roles.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-63101 leads to the complete compromise and exfiltration of sensitive member data from affected Open Event Server instances. This includes personally identifiable information (PII) such as email addresses, full names, account creation dates, and assigned roles within groups. The exposure of this data can result in severe privacy violations, facilitate targeted phishing campaigns, social engineering attacks against organization members, and compliance failures under data protection regulations. The ease of exploitation, requiring no authentication, means a wide range of organizations using Open Event Server could be at risk of significant data breaches.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-63101 immediately by upgrading Open Event Server to a version beyond 1.19.1 that addresses this vulnerability.</li>
<li>Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect suspicious activity related to CVE-2026-63101.</li>
<li>Monitor web server logs for HTTP POST requests to <code>/api/groups/*/followers/export_csv</code> and HTTP GET requests to <code>/api/export_tasks/*/status</code> without associated authentication tokens or session IDs.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>data-exfiltration</category><category>web-application</category><category>cve</category></item></channel></rss>