{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33266", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-18T14:16:42.998Z", "datePublished": "2026-04-09T15:52:36.105Z", "dateUpdated": "2026-04-10T18:49:13.351Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache OpenMeetings", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "9.0.0", "status": "affected", "version": "6.1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "4ra2n (A code security AI agent)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.</p><p>The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. <span style=\"background-color: rgb(255, 255, 255);\">In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.</span><br></p><p>This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.</p><p>Users are recommended to upgrade to version 9.0.0, which fixes the issue.</p>"}], "value": "Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.\n\nThe remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.\n\n\nThis issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:52:36.105Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66"}], "source": {"defect": ["OPENMEETINGS-2813"], "discovery": "EXTERNAL"}, "title": "Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/09/11"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-09T16:29:21.634Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:47:33.185349Z", "id": "CVE-2026-33266", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:49:13.351Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33266", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:47:33.185349Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-10T18:48:41.302Z"}}], "cna": {"title": "Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt", "source": {"defect": ["OPENMEETINGS-2813"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "4ra2n (A code security AI agent)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache OpenMeetings", "versions": [{"status": "affected", "version": "6.1.0", "lessThan": "9.0.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.\n\nThe remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.\n\n\nThis issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.</p><p>The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. <span style=\"background-color: rgb(255, 255, 255);\">In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.</span><br></p><p>This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.</p><p>Users are recommended to upgrade to version 9.0.0, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-09T15:52:36.105Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33266", "state": "PUBLISHED", "dateUpdated": "2026-04-09T16:29:21.634Z", "dateReserved": "2026-03-18T14:16:42.998Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-09T15:52:36.105Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.\n\nThe remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.\n\n\nThis issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.\n\nUsers are recommended to upgrade to version 9.0.0, which fixes the issue."}], "id": "CVE-2026-33266", "lastModified": "2026-04-10T19:16:22.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-09T16:16:26.960", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/11"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "security@apache.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[6.1.0,9.0.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache OpenMeetings", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "openmeetings", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T20:24:55.500496+00:00", "value": {"mitigation_remediation": ["Verify the Apache OpenMeetings version in use", "If the version is older than 9.0.0, plan and execute an upgrade to 9.0.0 or later", "If an upgrade is not immediately possible, replace the default remember\u2011me cookie encryption key in openmeetings.properties with a strong random value", "Monitor logs and user activity for signs of cookie theft or unauthorized access", "Stay informed of vendor advisories for additional updates or mitigations"], "summary": {"action": "Upgrade", "impact": "Credential compromise via cookie decryption"}, "threat_synthesis": {"affected_systems": "All Apache OpenMeetings releases from version 6.1.0 through 8.x are impacted, up to but excluding 9.0.0. Deployments that have not swapped the default key for a custom strong value or upgraded to 9.0.0 or newer remain vulnerable.", "description_and_impact": "Apache OpenMeetings stores the remember\u2011me cookie encryption key in openmeetings.properties with a default hard\u2011coded value that never rotates. If an administrator does not modify this key, the cookie can be decrypted by anyone who obtains it, allowing the attacker to recover the full user credentials. This flaw is an example of CWE\u2011321, where a fixed cryptographic key defeats confidentiality.", "risk_and_exploitability": "An attacker can acquire a remember\u2011me cookie from a legitimate session or intercepted traffic; the static key enables immediate decryption, giving full account access. Exploit probability data is not reported, and the vulnerability is not listed in CISA's catalog, but credential theft can occur until the key is changed or the software is updated."}}}}, "created": "2026-04-10T08:53:09.053067+00:00", "updated": "2026-04-10T09:32:21.628811+00:00", "vendors": ["apache", "apache$PRODUCT$openmeetings"]}