CRITICAL🇵🇱 Wersja polska

CVE-2026-22886

CVSS 9.8v3.1pub. 2026-03-03upd. 2026-04-09

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

🤖 AI Analysis
How it works

The management service based on the TCP protocol (imqbrokerd) is enabled by default and requires authentication, however the product is shipped with a predefined administrator account with credentials admin/admin. The system does not enforce a password change on first login or at any later time. After the first successful login, the server accepts the default password indefinitely, without warnings or mechanisms forcing its change. In practical deployments, this service is often left enabled without modification of the default authentication credentials.

Impact

An attacker with network access to the service port can authenticate as an administrator and gain full control over the administrative functions of the OpenMQ broker, which may lead to violations of confidentiality, integrity, and system availability.

Mitigation & patch

The default administrator account password (admin/admin) should be immediately changed to a strong, unique password. Patches available from the vendor should be applied according to the references. Additionally, it is recommended to restrict network access to the imqbrokerd service port only to trusted hosts using a firewall and to audit all deployments for the use of default login credentials.

Who is affected

Eclipse OpenMQ — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Eclipse Openmq

    APP
    Eclipse
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-24457CRITICAL9.1PL ✓ten sam produkt

Path Traversal w Eclipse OpenMQ umożliwia odczyt plików i potencjalny RCE

CVE-2026-2586CRITICAL9.1ten sam vendor

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Consol...

CVE-2026-2587CRITICAL9.6ten sam vendor

A critical Remote Code Execution (RCE) vulnerability was identified in the server-side template rendering mech...

CVE-2026-1699CRITICAL10.0PL ✓ten sam vendor

Eclipse Theia Website: RCE w CI/CD przez podatny trigger GitHub Actions

CVE-2025-67109CRITICAL10.0PL ✓ten sam vendor

Eclipse Cyclone DDS — błędna weryfikacja czasu certyfikatu umożliwia eskalację uprawnień