Openmq
CVE-2026-22886
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement.
In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
AnalysisAI
Default admin credentials in OpenMQ message broker. Shipped with known default admin password.
Technical ContextAI
CWE-1391 default credentials in message broker.
RemediationAI
Change default credentials.
Same weakness CWE-1391 – Use of Weak Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today