EUVD-2026-20936
GHSA-wqxq-w68r-wg85
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue.
Analysis
Hard-coded cryptographic key in Apache OpenMeetings 6.1.0-9.0.0 enables cookie-based credential theft. The default remember-me cookie encryption key in openmeetings.properties is not auto-rotated, allowing attackers who steal session cookies to decrypt and extract full user credentials without authentication. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Apache OpenMeetings instances in production and document version numbers and deployment scope. Within 7 days: Implement network segmentation to restrict access to OpenMeetings administrative interfaces and rotate all user passwords for accounts that have accessed affected instances. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today