Vulnerability Details CVE-2026-22886
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires
authentication. However, the product ships with a default administrative account (admin/
admin) and does not enforce a mandatory password change on first use. After the first
successful login, the server continues to accept the default password indefinitely without
warning or enforcement.
In real-world deployments, this service is often left enabled without changing the default
credentials. As a result, a remote attacker with access to the service port could authenticate
as an administrator and gain full control of the protocol’s administrative features.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 41.8%
CVSS Severity
CVSS v3 Score 9.8