What is the CVSS score of CVE-2026-33266?

CVE-2026-33266 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Which versions of Apache are affected by CVE-2026-33266?

Apache OpenMeetings versions 6.1.0 through 9.0.0 contain a hard-coded cryptographic key that enables attackers to decrypt stolen session cookies and extract user credentials without authentication.. A patch is available.

Apache CVE-2026-33266

EUVD-2026-20936 HIGH

Use of Hard-coded Cryptographic Key (CWE-321)

2026-04-09 apache

GHSA-wqxq-w68r-wg85

Apache Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 11, 2026 - 02:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 16:00 euvd

EUVD-2026-20936

Analysis Generated

Apr 09, 2026 - 16:00 vuln.today

CVE Published

Apr 09, 2026 - 15:52 nvd

HIGH 7.5

DescriptionNVD

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings.

The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials.

This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0.

Users are recommended to upgrade to version 9.0.0, which fixes the issue.

AnalysisAI

Hard-coded cryptographic key in Apache OpenMeetings 6.1.0-9.0.0 enables cookie-based credential theft. The default remember-me cookie encryption key in openmeetings.properties is not auto-rotated, allowing attackers who steal session cookies to decrypt and extract full user credentials without authentication. …

RemediationAI

Within 24 hours: Identify all Apache OpenMeetings instances in production and document version numbers and deployment scope. Within 7 days: Implement network segmentation to restrict access to OpenMeetings administrative interfaces and rotate all user passwords for accounts that have accessed affected instances. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2026-33266 vulnerability details – vuln.today

Back

Apache CVE-2026-33266

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code