CVE-2026-22886
Default Credential Authentication Bypass in OpenMQ imqbrokerd Service
Publication date: 2026-03-03
Last updated on: 2026-04-09
Assigner: Eclipse Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eclipse | openmq | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
| CWE-1393 | The product uses default passwords for potentially critical functionality. |
| CWE-1391 | The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-22886 is a critical vulnerability in the Eclipse OpenMQ project's TCP-based management service called imqbrokerd. This service requires authentication but ships with a default administrative account using the credentials admin/admin."}, {'type': 'paragraph', 'content': 'The system does not enforce a mandatory password change upon first login, and after the initial access, it continues to accept the default password indefinitely without any warning or enforcement.'}, {'type': 'paragraph', 'content': 'In real-world deployments, this default credential is often left unchanged, allowing remote attackers with access to the service port to authenticate as administrators and gain full control over the protocolβs administrative features.'}] [1]
How can this vulnerability impact me? :
This vulnerability allows a remote attacker with access to the TCP management service port to authenticate as an administrator using default credentials.
Once authenticated, the attacker gains full control over the protocolβs administrative features, which can lead to unauthorized configuration changes, disruption of service, or exploitation of other authenticated-only vulnerabilities within the same protocol.
The vulnerability has a high severity with a CVSS score of 9.8, indicating it can cause significant confidentiality, integrity, and availability impacts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the OpenMQ TCP-based management service (imqbrokerd) is running and accessible on your network, and then attempting to authenticate using the default administrative credentials (admin/admin). If authentication succeeds without requiring a password change, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'A practical approach is to scan for the service port used by imqbrokerd and then attempt a login using the default credentials.'}, {'type': 'list_item', 'content': 'Use a network scanning tool like nmap to identify if the imqbrokerd service port is open.'}, {'type': 'list_item', 'content': "Attempt to authenticate to the service using a client or script with the username 'admin' and password 'admin'."}, {'type': 'list_item', 'content': 'Example command to scan for open ports (replace <host> and <port> accordingly): nmap -p <port> <host>'}, {'type': 'list_item', 'content': 'If a client tool for OpenMQ management is available, use it to attempt login with default credentials.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "Immediate mitigation steps include changing the default administrative password from 'admin' to a strong, unique password as soon as possible."}, {'type': 'paragraph', 'content': 'Additionally, if the management service (imqbrokerd) is not required, consider disabling it to reduce the attack surface.'}, {'type': 'paragraph', 'content': 'Ensure that access to the service port is restricted via network controls such as firewalls or access control lists to limit exposure to trusted hosts only.'}, {'type': 'paragraph', 'content': 'Regularly audit and monitor authentication logs for any unauthorized access attempts.'}] [1]