Description
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires
authentication. However, the product ships with a default administrative account (admin/
admin) and does not enforce a mandatory password change on first use. After the first
successful login, the server continues to accept the default password indefinitely without
warning or enforcement.


In real-world deployments, this service is often left enabled without changing the default
credentials. As a result, a remote attacker with access to the service port could authenticate
as an administrator and gain full control of the protocol’s administrative features.
Published: 2026-03-03
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote authentication abuse
Action: Patch Now
AI Analysis

Impact

Eclipse OpenMQ exposes a TCP‑based management service that requires authentication. The package ships with a default administrative account, username and password both set to 'admin', and the system does not enforce a mandatory password change on first use. After a successful login, the server continues to accept these default credentials indefinitely, giving an attacker who can reach the service port a persistent administrative session and full control of the management protocol.

Affected Systems

The vulnerability affects Eclipse OpenMQ, as defined by its CNA. No specific version range is listed; it applies to all currently shipped versions that include the imqbrokerd management service with the default admin account left enabled without a forced password change.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity. The EPSS score is less than 1%, implying that exploitation has been rare to date, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is remote and network‑based; an attacker with access to the management service port can authenticate with the default credentials and perform any administrative task defined by the protocol, including user management, configuration changes, and data exposure. Because the default account remains valid indefinitely, the opportunity for exploitation remains broad as long as the service is left enabled without credential changes.

Generated by OpenCVE AI on April 16, 2026 at 14:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eclipse OpenMQ update that removes or disables the default admin account and requires a mandatory password change upon first login
  • If an update cannot be applied immediately, disable the imqbrokerd TCP management service to block unauthenticated access
  • Configure all administrative accounts with strong, unique passwords and enforce periodic password changes to reduce the risk of credential compromise

Generated by OpenCVE AI on April 16, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Default Credentials Persist in Eclipse OpenMQ TCP Management Service Allowing Remote Administration

Thu, 09 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:elipse:openmq:*:*:*:*:*:*:*:* cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*
Vendors & Products Elipse
Elipse openmq

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Elipse
Elipse openmq
CPEs cpe:2.3:a:elipse:openmq:*:*:*:*:*:*:*:*
Vendors & Products Elipse
Elipse openmq

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse openmq
Vendors & Products Eclipse
Eclipse openmq

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Description OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
Weaknesses CWE-1391
CWE-1392
CWE-1393
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Eclipse Openmq
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-03-03T14:51:24.570Z

Reserved: 2026-01-23T11:07:26.448Z

Link: CVE-2026-22886

cve-icon Vulnrichment

Updated: 2026-03-03T14:51:21.267Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T10:16:06.267

Modified: 2026-04-09T19:47:40.263

Link: CVE-2026-22886

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:15:28Z

Weaknesses