Cyber Resilience

CVE-2026-22886

Critical

Published: 03 March 2026

Published
03 March 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22886 is a critical-severity Use of Weak Credentials (CWE-1391) vulnerability in Eclipse Openmq. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-22886 is a critical vulnerability in OpenMQ, specifically affecting its TCP-based management service known as imqbrokerd. The issue arises because OpenMQ ships with a default administrative account using the credentials admin/admin, and the service requires authentication by default but does not enforce a mandatory password change on first use. After the initial successful login, the server continues to accept the default password indefinitely, without any warnings or enforcement mechanisms.

A remote attacker with network access to the exposed service port can exploit this vulnerability by authenticating with the unchanged default credentials, thereby gaining full control over the broker's administrative features. In real-world deployments, the management service is often left enabled without modifying the default credentials, making exploitation straightforward. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 1391, 1392, and 1393.

Mitigation details are available in the advisory referenced at https://gitlab.eclipse.org/security/cve-assignment/-/issues/85, published on 2026-03-03.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the…

more

server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

The vulnerability directly enables use of default credentials (admin/admin) for remote authentication and full administrative access to the management service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24457Same product: Eclipse Openmq
CVE-2026-2586Same vendor: Eclipse
CVE-2026-2587Same vendor: Eclipse
CVE-2024-9342Same vendor: Eclipse
CVE-2026-5795Same vendor: Eclipse
CVE-2026-2332Same vendor: Eclipse
CVE-2026-1188Same vendor: Eclipse
CVE-2025-0726Same vendor: Eclipse
CVE-2026-6918Same vendor: Eclipse
CVE-2025-55102Same vendor: Eclipse

Affected Assets

eclipse
openmq
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates changing default authenticators prior to first use, directly preventing exploitation of the unchanged admin/admin credentials in OpenMQ's imqbrokerd service.

prevent

AC-2 requires managing accounts throughout their lifecycle, including modifying default administrative accounts to avoid use of known credentials.

prevent

CM-6 enforces secure configuration settings that include changing default passwords and potentially disabling unnecessary management services like imqbrokerd.

References