CVE-2026-63101
Received Received - Intake

Unauthenticated CSV Export of Member Data in Open Event Server

Vulnerability report for CVE-2026-63101, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

Open Event Server through 1.19.1 contains a missing authentication vulnerability that allows unauthenticated attackers to export the complete member roster of any group, including email addresses, names, join dates, and roles, by submitting requests to the group followers CSV export endpoint which lacks any authentication decorator. Attackers can enumerate sequential group IDs via brute-force, trigger an export via the unauthenticated POST endpoint, then poll the unauthenticated task status endpoint until completion to retrieve a download URL containing the full member CSV.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
open_event server 1.19.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63101 is a missing authentication vulnerability in Open Event Server through version 1.19.1. It allows unauthenticated attackers to export the complete member roster of any group by exploiting an unauthenticated CSV export endpoint. Attackers can brute-force sequential group IDs, trigger an export via a POST request, and retrieve the full CSV file containing sensitive data like email addresses, names, join dates, and roles through an unauthenticated task status endpoint.

Detection Guidance

Check for unauthorized POST requests to /v1/group/<group_id>/export/followers/csv and GET requests to /v1/tasks/<task_id>. Monitor for unusual CSV file downloads or task status polling from unknown sources. Review server logs for repeated sequential group ID attempts.

Impact Analysis

This vulnerability can expose sensitive personal data such as email addresses, names, and roles of group members. Attackers could use this information for phishing, spam campaigns, or other malicious activities. The lack of authentication means any attacker can access this data without detection.

Compliance Impact

This vulnerability likely violates privacy regulations like GDPR and HIPAA by exposing personally identifiable information without consent. GDPR requires protecting personal data, and HIPAA mandates safeguarding health-related data. The unauthorized access to member rosters could lead to regulatory penalties and legal consequences.

Mitigation Strategies

Apply the latest patch for Open Event Server. Restrict access to the endpoints /v1/group/<group_id>/export/followers/csv and /v1/tasks/<task_id> by adding authentication. Monitor network traffic for suspicious activity targeting these paths.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63101. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart