Hard-coded Cryptographic Key Vulnerability in Apache OpenMeetings
CVE-2026-33266

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Openmeetings
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-33266?

A security vulnerability exists in Apache OpenMeetings due to the use of a hard-coded encryption key for the remember-me cookie, set to a default value in the configuration file openmeetings.properties. If the system administrator fails to modify this default key, an attacker who captures a cookie from an authenticated user could potentially gain full access to the user's credentials. This vulnerability affects OpenMeetings versions from 6.1.0 up to, but not including, 9.0.0. It is strongly advised for users to upgrade to version 9.0.0, which addresses and resolves this security risk.

Affected Version(s)

Apache OpenMeetings 6.1.0 < 9.0.0

References

https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjb...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 18, 2026

Credit

4ra2n (A code security AI agent)

CVE-2026-33266 Data

JSON