CVE-2026-33266

CWE-3215 documents5 sources

Severity

7.5HIGH

No vector

EPSS

0.0%

top 95.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Openmeetings

Timeline

PublishedApr 9

Description

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Affected Packages2 packages

▶Mavenorg.apache.openmeetings:openmeetings-parent6.1.0 — 9.0.0

▶CVEListV5apache_software_foundation/apache_openmeetings6.1.0 — 9.0.0

🔴Vulnerability Details

GHSA

GHSA-wqxq-w68r-wg85: Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings↗2026-04-09

▶

GHSA

Apache OpenMeetings Uses Hard-coded Cryptographic Key↗2026-04-09

▶

VulDB

Apache OpenMeetings up to 8.x a one-way hash with a predictable salt↗2026-04-09

▶

CVEList

Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt↗2026-04-09

▶