Severity: important Affected versions:
- Apache OpenMeetings 6.1.0 before 9.0.0 Description: Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logged-in user can get full user credentials. This issue affects Apache OpenMeetings: from 6.1.0 before 9.0.0. Users are recommended to upgrade to version 9.0.0, which fixes the issue. This issue is being tracked as OPENMEETINGS-2813 Credit: 4ra2n (A code security AI agent) (finder) References: https://openmeetings.apache.org/ https://www.cve.org/CVERecord?id=CVE-2026-33266 https://issues.apache.org/jira/browse/OPENMEETINGS-2813
