Cyber Resilience

CVE-2026-33266

High

Published: 09 April 2026

Published
09 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0006 17.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33266 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Apache Openmeetings. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33266 is a Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings, where the remember-me cookie encryption key defaults to a static value in the openmeetings.properties file without automatic rotation. If administrators have not manually changed this key, stolen cookies can be decrypted to reveal full user credentials. The issue affects Apache OpenMeetings versions from 6.1.0 up to but not including 9.0.0, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-321.

An unauthenticated attacker with network access can exploit this by stealing a remember-me cookie from a logged-in user, such as through network interception or cross-site scripting if combined with other vectors. With the default key, the attacker can decrypt the cookie to obtain the user's full credentials, enabling account takeover and potential further compromise within the OpenMeetings environment.

Apache advisories recommend upgrading to version 9.0.0, which resolves the issue by addressing the hard-coded key problem. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/11.

EU & UK References

Vulnerability details

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen…

more

a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Public-facing web app vuln (T1190) with hard-coded cookie key enables decryption of stolen remember-me cookies (T1539) to obtain credentials due to unsecured crypto material (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-54676Same product: Apache Openmeetings
CVE-2026-34020Same product: Apache Openmeetings
CVE-2026-31986Same vendor: Apache
CVE-2025-62188Same vendor: Apache
CVE-2025-68438Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41873Same vendor: Apache
CVE-2025-24783Same vendor: Apache
CVE-2024-53678Same vendor: Apache
CVE-2026-34059Same vendor: Apache

Affected Assets

apache
openmeetings
6.1.0 — 9.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires establishment and management of cryptographic keys, preventing use of hard-coded default keys without rotation for remember-me cookie encryption.

prevent

Mandates timely identification, reporting, and correction of flaws like this hard-coded key vulnerability, aligning with the upgrade to version 9.0.0.

prevent

Enforces secure configuration settings for components like openmeetings.properties to override default encryption keys and mitigate the vulnerability.

References