CVE-2026-33266 - Vulnerability Details

- Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt

Description

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.

This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Published: 2026-04-09

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Apache OpenMeetings stores its remember‑me cookie encryption key in openmeetings.properties with a hard‑coded default value that is never rotated unless an administrator manually changes it. Because the key remains constant, an attacker who obtains a valid cookie can decrypt it and retrieve full user credentials, thereby impersonating the logged‑in user. This threat arises from improper key management (CWE‑321) and directly enables unauthorized access.

Affected Systems

All installations of Apache OpenMeetings from release 6.1.0 up through, but not including, version 9.0.0 are affected. Enterprises running any of these versions are vulnerable until they move to version 9.0.0 or later.

Risk and Exploitability

The CVSS base score of 7.5 reflects a high severity impact, while the EPSS score of less than 1% indicates a low probability of active exploitation in the current environment. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker already possess a legitimate remember‑me cookie—obtained via phishing, session hijacking, or other user‑targeted methods. With the cookie, the attacker can immediately replay it to gain authenticated session access without needing additional system privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache OpenMeetings

unaffected

Version	Status	Constraints
`6.1.0`	affected	< 9.0.0

Configuration 1 [-]

cpe:2.3:a:apache:openmeetings:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Apache

Openmeetings

95%

Version	Status	Scheme	Platform
`[6.1.0,9.0.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache OpenMeetings to version 9.0.0 or later.

Generated by OpenCVE AI on April 10, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-wqxq-w68r-wg85	Apache OpenMeetings Uses Hard-coded Cryptographic Key

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00067.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/04/09/11
https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66

History

Wed, 15 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:apache:openmeetings::::::::

Fri, 10 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache openmeetings
Vendors & Products		Apache Apache openmeetings

Thu, 09 Apr 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/04/09/11

Thu, 09 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Title		Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt
Weaknesses		CWE-321
References		https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66

Subscriptions

Apache Openmeetings

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-04-09T15:52:36.105Z

Updated: 2026-04-10T18:49:13.351Z

Reserved: 2026-03-18T14:16:42.998Z

Link: CVE-2026-33266

Vulnrichment

Updated: 2026-04-09T16:29:21.634Z

NVD

Status : Analyzed

Published: 2026-04-09T16:16:26.960

Modified: 2026-04-15T15:21:55.863

Link: CVE-2026-33266

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T13:06:52Z

Weaknesses

CWE-321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object