CVE-2026-63101

FOSSASIA · open-event-server

FOSSASIA open-event-server suffers from a missing authentication vulnerability, specifically affecting the member roster export via the CSV export endpoint.

Executive summary

An unauthenticated access vulnerability in FOSSASIA open-event-server allows remote attackers to export sensitive member roster data.

Vulnerability

This is an authentication bypass vulnerability (CWE-306) affecting the CSV export endpoint. The CVSS 4.0 vector confirms that an unauthenticated remote attacker can access sensitive information without user interaction.

Business impact

With a CVSS score of 7.5, this vulnerability represents a high risk to data privacy. Unauthorized export of member rosters can lead to the exposure of personally identifiable information (PII), resulting in compliance violations and reputational damage.

Remediation

Immediate Action: Review vendor documentation for available security updates and apply them as soon as they are released.

Proactive Monitoring: Monitor network traffic for unusual or excessive requests to CSV export endpoints and audit logs for unauthorized data extraction.

Compensating Controls: Restrict access to the application via network-level controls or a WAF until a patch is applied to enforce authentication on the affected endpoint.

Exploitation status

Public Exploit Available: No confirmed public weaponized exploit exists.

Analyst recommendation

Given the existence of a proof-of-concept, organizations should treat this vulnerability as a high priority. Ensure that access to the open-event-server is restricted and monitor for any signs of unauthorized data exports while awaiting an official patch.