CVE-2026-25519
📋 TL;DR
OpenSlides versions before 4.2.29 have an authentication bypass vulnerability where users synced via external SAML identity providers can be logged into locally using their OpenSlides username and a trivial password that works for all SAML users. This allows unauthorized access to user accounts configured for SAML authentication. Organizations using OpenSlides with SAML integration are affected.
💻 Affected Systems
- OpenSlides
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to all SAML-synced user accounts, potentially compromising sensitive meeting data, manipulating elections/votes, and accessing administrative functions depending on user privileges.
Likely Case
Unauthorized users access SAML-synced accounts with standard user privileges, potentially viewing or modifying meeting materials, agendas, and participant data.
If Mitigated
With proper network segmentation and monitoring, unauthorized access is detected quickly and limited to the OpenSlides application layer.
🎯 Exploit Status
Exploitation requires knowledge of SAML-synced usernames and the trivial password. No authentication is needed to attempt the local login form.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.29
Vendor Advisory: https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c
Restart Required: Yes
Instructions:
1. Backup your OpenSlides installation and database. 2. Update to OpenSlides version 4.2.29 or later. 3. Restart the OpenSlides service. 4. Verify the fix by testing SAML user local login attempts.
🔧 Temporary Workarounds
Disable local login for SAML users
allTemporarily disable the local login form or restrict access to it while maintaining SAML authentication.
# Configure web server (nginx example) to block /system/login path
location /system/login { deny all; }
Network access control
linuxRestrict access to the OpenSlides login interface to trusted networks only.
# Example iptables rule for Linux
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Disable SAML authentication entirely and use only local authentication with strong passwords.
- Implement Web Application Firewall (WAF) rules to block suspicious login patterns to the local login endpoint.
🔍 How to Verify
Check if Vulnerable:
Attempt to log in via the local login form using a known SAML-synced username and any trivial password (like 'password' or '1234'). If login succeeds, the system is vulnerable.Check Version:
Check the OpenSlides web interface admin panel or run: docker inspect openslides | grep versionVerify Fix Applied:
After patching, attempt the same login test with SAML-synced usernames and trivial passwords. Login should fail with proper authentication errors.📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful logins for SAML-synced usernames
- Successful local logins for users known to use SAML authentication
- Login attempts using trivial/common passwords
Network Indicators:
- Unusual source IPs accessing /system/login endpoint
- High volume of POST requests to login endpoint
SIEM Query:
source="openslides.log" AND (event="login_success" AND user="*saml*") OR (event="login_attempt" AND password="password|1234|admin")🔗 References
- https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29
- https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c
- https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee
- https://github.com/OpenSlides/openslides-auth-service/pull/889
