Vulnerability Details CVE-2026-33266
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.
This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.
Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 6.3%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-33266
-
cpe:2.3:a:apache:openmeetings:6.1.0
-
cpe:2.3:a:apache:openmeetings:6.2.0
-
cpe:2.3:a:apache:openmeetings:6.3.0
-
cpe:2.3:a:apache:openmeetings:7.0.0
-
cpe:2.3:a:apache:openmeetings:8.0.0