CVE-2026-33266

Name of the Vulnerable Software and Affected Versions Apache OpenMeetings versions 6.1.0 through 9.0.0

Description A hard-coded cryptographic key is used in Apache OpenMeetings. The remember-me cookie encryption key is set to a default value in the openmeetings.properties file and is not automatically rotated. If the OpenMeetings administrator has not changed the default encryption key, an attacker who obtains a cookie from a logged-in user can potentially gain full user credentials.

Recommendations Upgrade to version 9.0.0.