High severity7.5NVD Advisory· Published Apr 9, 2026· Updated Apr 15, 2026
CVE-2026-33266
CVE-2026-33266
Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.
This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.openmeetings:openmeetings-parentMaven | >= 6.1.0, < 9.0.0 | 9.0.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- www.openwall.com/lists/oss-security/2026/04/09/11nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-wqxq-w68r-wg85ghsaADVISORY
- lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33266ghsaADVISORY
News mentions
0No linked articles in our index yet.