CVE-2026-22886 (GCVE-0-2026-22886)

Vulnerability from cvelistv5 – Published: 2026-03-03 09:18 – Updated: 2026-03-03 14:51
VLAI?
Summary
OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
Assigner
References
Impacted products
Vendor Product Version
Eclipse Foundation Eclipse OpenMQ Affected: 0
Create a notification for this product.
Credits
Camilo G. AkA Dedalo (DeepSecurity Perú)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-22886",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T14:51:17.610064Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T14:51:24.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Eclipse OpenMQ",
          "repo": "https://github.com/eclipse-ee4j/openmq",
          "vendor": "Eclipse Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Camilo G. AkA Dedalo (DeepSecurity Per\u00fa)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eOpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (\u003cstrong\u003eadmin/\nadmin\u003c/strong\u003e) and \u003cstrong\u003edoes not enforce a mandatory password change on first use\u003c/strong\u003e. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\u003c/p\u003e\n\u003cp\u003eIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features.\u003c/p\u003e"
            }
          ],
          "value": "OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (admin/\nadmin) and does not enforce a mandatory password change on first use. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\n\n\nIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1392",
              "description": "CWE-1392 Use of Default Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1393",
              "description": "CWE-1393 Use of Default Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1391",
              "description": "CWE-1391 Use of Weak Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T09:20:54.024Z",
        "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
        "shortName": "eclipse"
      },
      "references": [
        {
          "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/85"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
    "assignerShortName": "eclipse",
    "cveId": "CVE-2026-22886",
    "datePublished": "2026-03-03T09:18:46.109Z",
    "dateReserved": "2026-01-23T11:07:26.448Z",
    "dateUpdated": "2026-03-03T14:51:24.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22886\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2026-03-03T10:16:06.267\",\"lastModified\":\"2026-04-09T19:47:40.263\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\\nauthentication. However, the product ships with a default administrative account (admin/\\nadmin) and does not enforce a mandatory password change on first use. After the first\\nsuccessful login, the server continues to accept the default password indefinitely without\\nwarning or enforcement.\\n\\n\\nIn real-world deployments, this service is often left enabled without changing the default\\ncredentials. As a result, a remote attacker with access to the service port could authenticate\\nas an administrator and gain full control of the protocol\u2019s administrative features.\"},{\"lang\":\"es\",\"value\":\"OpenMQ expone un servicio de gesti\u00f3n basado en TCP (imqbrokerd) que por defecto requiere autenticaci\u00f3n. Sin embargo, el producto se env\u00eda con una cuenta administrativa por defecto (admin/admin) y no impone un cambio de contrase\u00f1a obligatorio en el primer uso. Despu\u00e9s del primer inicio de sesi\u00f3n exitoso, el servidor contin\u00faa aceptando la contrase\u00f1a por defecto indefinidamente sin advertencia ni imposici\u00f3n.\\n\\nEn implementaciones del mundo real, este servicio a menudo se deja habilitado sin cambiar las credenciales por defecto. Como resultado, un atacante remoto con acceso al puerto del servicio podr\u00eda autenticarse como administrador y obtener control total de las caracter\u00edsticas administrativas del protocolo.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"emo@eclipse.org\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1391\"},{\"lang\":\"en\",\"value\":\"CWE-1392\"},{\"lang\":\"en\",\"value\":\"CWE-1393\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"24992257-6690-46E1-962A-2D9CE0815B85\"}]}]}],\"references\":[{\"url\":\"https://gitlab.eclipse.org/security/cve-assignment/-/issues/85\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22886\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-03T14:51:17.610064Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-03T14:51:21.267Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Camilo G. AkA Dedalo (DeepSecurity Per\\u00fa)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/eclipse-ee4j/openmq\", \"vendor\": \"Eclipse Foundation\", \"product\": \"Eclipse OpenMQ\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://gitlab.eclipse.org/security/cve-assignment/-/issues/85\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\\nauthentication. However, the product ships with a default administrative account (admin/\\nadmin) and does not enforce a mandatory password change on first use. After the first\\nsuccessful login, the server continues to accept the default password indefinitely without\\nwarning or enforcement.\\n\\n\\nIn real-world deployments, this service is often left enabled without changing the default\\ncredentials. As a result, a remote attacker with access to the service port could authenticate\\nas an administrator and gain full control of the protocol\\u2019s administrative features.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eOpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\\nauthentication. However, the product ships with a default administrative account (\u003cstrong\u003eadmin/\\nadmin\u003c/strong\u003e) and \u003cstrong\u003edoes not enforce a mandatory password change on first use\u003c/strong\u003e. After the first\\nsuccessful login, the server continues to accept the default password indefinitely without\\nwarning or enforcement.\u003c/p\u003e\\n\u003cp\u003eIn real-world deployments, this service is often left enabled without changing the default\\ncredentials. As a result, a remote attacker with access to the service port could authenticate\\nas an administrator and gain full control of the protocol\\u2019s administrative features.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1392\", \"description\": \"CWE-1392 Use of Default Credentials\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1393\", \"description\": \"CWE-1393 Use of Default Password\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1391\", \"description\": \"CWE-1391 Use of Weak Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"shortName\": \"eclipse\", \"dateUpdated\": \"2026-03-03T09:20:54.024Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22886\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-03T14:51:24.570Z\", \"dateReserved\": \"2026-01-23T11:07:26.448Z\", \"assignerOrgId\": \"e51fbebd-6053-4e49-959f-1b94eeb69a2c\", \"datePublished\": \"2026-03-03T09:18:46.109Z\", \"assignerShortName\": \"eclipse\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.