CVE-2026-33266

HIGH 7.5

Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

1th

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

CWE	CWE-321
Vendor	apache software foundation
Product	apache openmeetings
Published	Apr 9, 2026
Last Updated	Apr 10, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache openmeetings

Be the first to know when new high vulnerabilities affecting apache software foundation apache openmeetings are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache OpenMeetings

6.1.0 < 9.0.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 openwall.com: http://www.openwall.com/lists/oss-security/2026/04/09/11

Credits

4ra2n (A code security AI agent)