{
    "document": {
        "category": "csaf_security_advisory",
        "csaf_version": "2.0",
        "distribution": {
            "tlp": {
                "label": "WHITE",
                "url": "https://www.first.org/tlp/v1/"
            }
        },
        "lang": "en",
        "publisher": {
            "category": "vendor",
            "contact_details": "mailto:security@intevation.de, encryption via OpenPGP: https://intevation.de/.well-known/openpgpkey/hu/t5s8ztdbon8yzntexy6oz5y48etqsnbb",
            "name": "Intevation GmbH",
            "namespace": "https://intevation.de"
        },
        "references":[
            {
                "category": "self",
                "summary": "intevation-openslides-2026-001",
                "url": "https://intevation.de/.well-known/csaf/white/2026/intevation-openslides-2026-001.json"
            }
        ],
        "title": "Incorrect access control in SAML authentication service of OpenSlides",
        "tracking": {
            "current_release_date": "2026-02-09T11:30:00.000Z",
            "id": "intevation-openslides-2026-001",
            "initial_release_date": "2026-02-09T11:30:00.000Z",
            "revision_history": [
                {
                    "date": "2026-02-09T11:30:00.000Z",
                    "number": "1.0.0",
                    "summary": "Initial revision"
                }
            ],
            "status": "final",
            "version": "1.0.0"
        }
    },
    "product_tree": {
        "branches": [
            {
                "branches": [
                    {
                        "branches": [
                            {
                                "category": "product_version_range",
                                "name": "vers:intdot/>=4.2.5|<=4.2.28",
                                "product": {
                                    "name": "OpenSlides between and including versions 4.2.5 - 4.2.28",
                                    "product_id": "openslides-be-4.2.5-4.2.28"
                                }
                            },
                            {
                                "category": "product_version",
                                "name": "vers:intdot/4.2.29",
                                "product": {
                                    "name": "OpenSlides version 4.2.29",
                                    "product_id": "openslides-e-4.2.29"
                                }
                            }
                        ],
                        "category": "product_name",
                        "name": "OpenSlides"
                    }
                ],
                "category": "vendor",
                "name": "Intevation GmbH"
            }
        ]
    },
    "vulnerabilities": [
        {
            "acknowledgments": [
                {
                  "names": [ "Kai Sisterhenn" ],
                  "summary": "Initial report",
                  "urls": [ "https://sistason.de/" ]
                }
            ],
            "cve": "CVE-2026-25519",
            "notes": [
                {
                    "category": "description",
                    "text": "OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users in this setup. The SAML user id has to be guessed."
                }
            ],
            "product_status": {
                "first_fixed": [
                    "openslides-e-4.2.29"
                ],
                "fixed": [
                    "openslides-e-4.2.29"
                ],
                "known_affected": [
                    "openslides-be-4.2.5-4.2.28"
                ]
            },
            "remediations": [
                {
                    "category": "vendor_fix",
                    "date": "2026-01-17T18:32:00.000Z",
                    "details": "Update to the latest version of OpenSlides. At least version 4.2.29",
                    "product_ids": [
                        "openslides-be-4.2.5-4.2.28"
                    ],
                    "url": "https://github.com/OpenSlides/OpenSlides/releases"
                }
            ],
            "scores": [
                {
                    "cvss_v3": {
                      "baseScore": 8.1,
                      "baseSeverity": "HIGH",
                      "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                      "version": "3.1"
                    },
                    "products": [
                        "openslides-be-4.2.5-4.2.28"
                    ]
                }
            ]
        }
    ]
}
