CVE-2026-33266
Hard-coded Key in Apache OpenMeetings Enables Credential Theft
Publication date: 2026-04-09
Last updated on: 2026-04-15
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | openmeetings | From 6.1.0 (inc) to 9.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker who has stolen a remember-me cookie to decrypt it and gain full user credentials if the default hard-coded cryptographic key has not been changed. This can lead to unauthorized access to user accounts and potential compromise of sensitive personal data.
Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate appropriate security controls to prevent unauthorized access.
Therefore, failure to change the default encryption key and mitigate this vulnerability may result in non-compliance with these regulations due to inadequate protection of user credentials and personal data.
Can you explain this vulnerability to me?
This vulnerability is a Use of Hard-coded Cryptographic Key issue in Apache OpenMeetings. Specifically, the remember-me cookie encryption key is set to a default value in the openmeetings.properties file and is not automatically rotated. If the administrator has not changed this default encryption key, an attacker who steals a cookie from a logged-in user can obtain full user credentials.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to gain full user credentials by stealing a remember-me cookie from a logged-in user. This can lead to unauthorized access to user accounts and potentially sensitive information within Apache OpenMeetings.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade Apache OpenMeetings to version 9.0.0, which fixes the issue.
Ensure that the default remember-me cookie encryption key in openmeetings.properties is changed from its default value to a unique, secure key.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Apache OpenMeetings installation is using the default remember-me cookie encryption key and salt in the openmeetings.properties configuration file.
Specifically, you need to verify whether the encryption key and salt values have been changed from their default settings, as the vulnerability exists if they remain at default.
A practical approach is to locate and inspect the openmeetings.properties file on the server hosting OpenMeetings.
- Use commands like `grep` to find the relevant keys, for example: `grep -i 'rememberme.key' /path/to/openmeetings.properties` and `grep -i 'rememberme.salt' /path/to/openmeetings.properties`.
- Compare the found values against the known default values documented by Apache OpenMeetings or the vulnerability advisory.
If the values match the default, the system is vulnerable and should be upgraded to version 9.0.0 or later, or the keys should be changed immediately.