CVE-2026-33266
Received Received - Intake
Hard-coded Key in Apache OpenMeetings Enables Credential Theft

Publication date: 2026-04-09

Last updated on: 2026-04-15

Assigner: Apache Software Foundation

Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33266
EUVD
EUVD-2026-20936
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache openmeetings From 6.1.0 (inc) to 9.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-321 The product uses a hard-coded, unchangeable cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker who has stolen a remember-me cookie to decrypt it and gain full user credentials if the default hard-coded cryptographic key has not been changed. This can lead to unauthorized access to user accounts and potential compromise of sensitive personal data.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate appropriate security controls to prevent unauthorized access.

Therefore, failure to change the default encryption key and mitigate this vulnerability may result in non-compliance with these regulations due to inadequate protection of user credentials and personal data.

Executive Summary

This vulnerability is a Use of Hard-coded Cryptographic Key issue in Apache OpenMeetings. Specifically, the remember-me cookie encryption key is set to a default value in the openmeetings.properties file and is not automatically rotated. If the administrator has not changed this default encryption key, an attacker who steals a cookie from a logged-in user can obtain full user credentials.

Impact Analysis

If exploited, this vulnerability allows an attacker to gain full user credentials by stealing a remember-me cookie from a logged-in user. This can lead to unauthorized access to user accounts and potentially sensitive information within Apache OpenMeetings.

Mitigation Strategies

Users are recommended to upgrade Apache OpenMeetings to version 9.0.0, which fixes the issue.

Ensure that the default remember-me cookie encryption key in openmeetings.properties is changed from its default value to a unique, secure key.

Detection Guidance

This vulnerability can be detected by checking if the Apache OpenMeetings installation is using the default remember-me cookie encryption key and salt in the openmeetings.properties configuration file.

Specifically, you need to verify whether the encryption key and salt values have been changed from their default settings, as the vulnerability exists if they remain at default.

A practical approach is to locate and inspect the openmeetings.properties file on the server hosting OpenMeetings.

  • Use commands like `grep` to find the relevant keys, for example: `grep -i 'rememberme.key' /path/to/openmeetings.properties` and `grep -i 'rememberme.salt' /path/to/openmeetings.properties`.
  • Compare the found values against the known default values documented by Apache OpenMeetings or the vulnerability advisory.

If the values match the default, the system is vulnerable and should be upgraded to version 9.0.0 or later, or the keys should be changed immediately.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33266. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart