CVE-2026-22886
Published: 03 March 2026
Summary
CVE-2026-22886 is a critical-severity Use of Weak Credentials (CWE-1391) vulnerability in Eclipse Openmq. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 50.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates changing default authenticators prior to first use, directly preventing exploitation of the unchanged admin/admin credentials in OpenMQ's imqbrokerd service.
AC-2 requires managing accounts throughout their lifecycle, including modifying default administrative accounts to avoid use of known credentials.
CM-6 enforces secure configuration settings that include changing default passwords and potentially disabling unnecessary management services like imqbrokerd.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables use of default credentials (admin/admin) for remote authentication and full administrative access to the management service.
NVD Description
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the…
more
server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
Deeper analysisAI
CVE-2026-22886 is a critical vulnerability in OpenMQ, specifically affecting its TCP-based management service known as imqbrokerd. The issue arises because OpenMQ ships with a default administrative account using the credentials admin/admin, and the service requires authentication by default but does not enforce a mandatory password change on first use. After the initial successful login, the server continues to accept the default password indefinitely, without any warnings or enforcement mechanisms.
A remote attacker with network access to the exposed service port can exploit this vulnerability by authenticating with the unchanged default credentials, thereby gaining full control over the broker's administrative features. In real-world deployments, the management service is often left enabled without modifying the default credentials, making exploitation straightforward. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 1391, 1392, and 1393.
Mitigation details are available in the advisory referenced at https://gitlab.eclipse.org/security/cve-assignment/-/issues/85, published on 2026-03-03.
Details
- CWE(s)