2019-SV6 Group Owner Context

affects OMERO.server versions 5.1.0 to 5.6.0

back to Advisories


OMERO does not fully restrict the actions of group owners to within their group.


OMERO allows group owners to perform various actions as another member of their group. In some cases, these actions are not restricted to the group they own.

OMERO 5.6.1 adds a server-side check that the session context for a group owner is limited to their groups.

This vulnerability is identified as CVE-2020-6752.

Affected Packages

OMERO.server before 5.6.1.


Low severity.

CVSS score 3.6 vector AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C


All OMERO.servers should be upgraded to at least 5.6.1.

back to top