Primary

Context

Apache OpenMeetings Hardcoded Remember-Me Cookie Encryption Key Vulnerability

Vulnerability

Patched

A vulnerability exists in Apache OpenMeetings versions 6.1.0 prior to 9.0.0, due to the remember-me cookie encryption key being hardcoded and set to a default value in the openmeetings.properties file. This key is not automatically rotated. If the OpenMeetings administrator has not changed the default key, an attacker who steals a cookie from a logged-in user can gain access to the user's full credentials.

Impact

Exploitation of this vulnerability allows an attacker to steal user credentials from a logged-in session by intercepting the remember-me cookie, provided the default encryption key has not been changed.

Remediation

Users are advised to upgrade to Apache OpenMeetings version 9.0.0 or later, which addresses this vulnerability.

Added: Apr 9, 2026, 5:02 PM

Updated: Apr 9, 2026, 5:02 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

6.0

remediation

7.7

relevance

5.5

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache OpenMeetings Hardcoded Remember-Me Cookie Encryption Key Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache OpenMeetings

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating