Hard-coded Cryptographic Key Vulnerability in Apache OpenMeetings
CVE-2026-33266

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Openmeetings
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-33266?

A security vulnerability exists in Apache OpenMeetings due to the use of a hard-coded encryption key for the remember-me cookie, set to a default value in the configuration file openmeetings.properties. If the system administrator fails to modify this default key, an attacker who captures a cookie from an authenticated user could potentially gain full access to the user's credentials. This vulnerability affects OpenMeetings versions from 6.1.0 up to, but not including, 9.0.0. It is strongly advised for users to upgrade to version 9.0.0, which addresses and resolves this security risk.

Affected Version(s)

Apache OpenMeetings 6.1.0 < 9.0.0

References

https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjb...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

4ra2n (A code security AI agent)

CVE-2026-33266 Data

JSON