CVE-2026-33266

EUVD-2026-20936

09.04.2026, 16:16

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.

This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
apache	openmeetings	6.1.0 ≤ 𝑥 < 9.0.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-321 - Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

References

https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66

http://www.openwall.com/lists/oss-security/2026/04/09/11