oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-33266: Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt

From: Maxim Solodovnik <solomax () apache org>
Date: Thu, 09 Apr 2026 14:21:08 +0000
Severity: important 

Affected versions:

- Apache OpenMeetings 6.1.0 before 9.0.0

Description:

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In 
case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can 
get full user credentials.


This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

This issue is being tracked as OPENMEETINGS-2813 

Credit:

4ra2n (A code security AI agent) (finder)

References:

https://openmeetings.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-33266
https://issues.apache.org/jira/browse/OPENMEETINGS-2813
Previous By Date Next
Previous By Thread Next

Current thread: