CVE-2026-33266

High

Published: 09 April 2026

Published

09 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 20.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33266 is a high-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Apache Openmeetings. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-12 Cryptographic Key Establishment and Management good match

prevent

Directly requires establishment and management of cryptographic keys, preventing use of hard-coded default keys without rotation for remember-me cookie encryption.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like this hard-coded key vulnerability, aligning with the upgrade to version 9.0.0.

CM-6 Configuration Settings partial match

prevent

Enforces secure configuration settings for components like openmeetings.properties to override default encryption keys and mitigate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Public-facing web app vuln (T1190) with hard-coded cookie key enables decryption of stolen remember-me cookies (T1539) to obtain credentials due to unsecured crypto material (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen…

a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.

Deeper analysisAI

CVE-2026-33266 is a Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings, where the remember-me cookie encryption key defaults to a static value in the openmeetings.properties file without automatic rotation. If administrators have not manually changed this key, stolen cookies can be decrypted to reveal full user credentials. The issue affects Apache OpenMeetings versions from 6.1.0 up to but not including 9.0.0, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-321.

An unauthenticated attacker with network access can exploit this by stealing a remember-me cookie from a logged-in user, such as through network interception or cross-site scripting if combined with other vectors. With the default key, the attacker can decrypt the cookie to obtain the user's full credentials, enabling account takeover and potential further compromise within the OpenMeetings environment.

Apache advisories recommend upgrading to version 9.0.0, which resolves the issue by addressing the hard-coded key problem. Additional details are available in the Apache mailing list announcement at https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66 and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/09/11.

Details

CWE(s): CWE-321

Affected Products

apache

openmeetings

6.1.0 — 9.0.0

CVEs Like This One

CVE-2024-54676Same product: Apache Openmeetings

CVE-2026-34020Same product: Apache Openmeetings

CVE-2025-62188Same vendor: Apache

CVE-2025-68438Same vendor: Apache

CVE-2024-55532Same vendor: Apache

CVE-2026-31908Same vendor: Apache

CVE-2025-54466Same vendor: Apache

CVE-2026-40466Same vendor: Apache

CVE-2025-24783Same vendor: Apache

CVE-2026-24343Same vendor: Apache

References

https://lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66
Mailing List, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/09/11
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108