CVE-2026-33266: Apache OpenMeetings Uses Hard-coded Cryptographic Key

April 9, 2026 (updated April 10, 2026)

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn’t changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.

This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

References

github.com/advisories/GHSA-wqxq-w68r-wg85
github.com/apache/openmeetings
lists.apache.org/thread/b05jnp9563v49zq494lox9kjbhhf2w66
nvd.nist.gov/vuln/detail/CVE-2026-33266

Code Behaviors & Features

Detect and mitigate CVE-2026-33266 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →