{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22886", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "state": "PUBLISHED", "assignerShortName": "eclipse", "dateReserved": "2026-01-23T11:07:26.448Z", "datePublished": "2026-03-03T09:18:46.109Z", "dateUpdated": "2026-03-03T14:51:24.570Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Eclipse OpenMQ", "repo": "https://github.com/eclipse-ee4j/openmq", "vendor": "Eclipse Foundation", "versions": [{"status": "affected", "version": "0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Camilo G. AkA Dedalo (DeepSecurity Per\u00fa)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (<strong>admin/\nadmin</strong>) and <strong>does not enforce a mandatory password change on first use</strong>. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.</p>\n<p>In real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features.</p>"}], "value": "OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (admin/\nadmin) and does not enforce a mandatory password change on first use. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\n\n\nIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1392", "description": "CWE-1392 Use of Default Credentials", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1393", "description": "CWE-1393 Use of Default Password", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1391", "description": "CWE-1391 Use of Weak Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-03T09:20:54.024Z"}, "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/85"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T14:51:17.610064Z", "id": "CVE-2026-22886", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:51:24.570Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22886", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T14:51:17.610064Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:51:21.267Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Camilo G. AkA Dedalo (DeepSecurity Per\u00fa)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eclipse-ee4j/openmq", "vendor": "Eclipse Foundation", "product": "Eclipse OpenMQ", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/85"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (admin/\nadmin) and does not enforce a mandatory password change on first use. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\n\n\nIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features.", "supportingMedia": [{"type": "text/html", "value": "<p>OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (<strong>admin/\nadmin</strong>) and <strong>does not enforce a mandatory password change on first use</strong>. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.</p>\n<p>In real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1392", "description": "CWE-1392 Use of Default Credentials"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1393", "description": "CWE-1393 Use of Default Password"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1391", "description": "CWE-1391 Use of Weak Credentials"}]}], "providerMetadata": {"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse", "dateUpdated": "2026-03-03T09:20:54.024Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22886", "state": "PUBLISHED", "dateUpdated": "2026-03-03T14:51:24.570Z", "dateReserved": "2026-01-23T11:07:26.448Z", "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "datePublished": "2026-03-03T09:18:46.109Z", "assignerShortName": "eclipse"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*", "matchCriteriaId": "24992257-6690-46E1-962A-2D9CE0815B85", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (admin/\nadmin) and does not enforce a mandatory password change on first use. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\n\n\nIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features."}, {"lang": "es", "value": "OpenMQ expone un servicio de gesti\u00f3n basado en TCP (imqbrokerd) que por defecto requiere autenticaci\u00f3n. Sin embargo, el producto se env\u00eda con una cuenta administrativa por defecto (admin/admin) y no impone un cambio de contrase\u00f1a obligatorio en el primer uso. Despu\u00e9s del primer inicio de sesi\u00f3n exitoso, el servidor contin\u00faa aceptando la contrase\u00f1a por defecto indefinidamente sin advertencia ni imposici\u00f3n.\n\nEn implementaciones del mundo real, este servicio a menudo se deja habilitado sin cambiar las credenciales por defecto. Como resultado, un atacante remoto con acceso al puerto del servicio podr\u00eda autenticarse como administrador y obtener control total de las caracter\u00edsticas administrativas del protocolo."}], "id": "CVE-2026-22886", "lastModified": "2026-04-09T19:47:40.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "emo@eclipse.org", "type": "Secondary"}]}, "published": "2026-03-03T10:16:06.267", "references": [{"source": "emo@eclipse.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/85"}], "sourceIdentifier": "emo@eclipse.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1391"}, {"lang": "en", "value": "CWE-1392"}, {"lang": "en", "value": "CWE-1393"}], "source": "emo@eclipse.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "0"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "product": "openmq", "vendor": "eclipse"}], "analysis": {"en": {"generated_at": "2026-04-16T14:07:10.583752+00:00", "value": {"mitigation_remediation": ["Apply the latest Eclipse OpenMQ update that removes or disables the default admin account and requires a mandatory password change upon first login", "If an update cannot be applied immediately, disable the imqbrokerd TCP management service to block unauthenticated access", "Configure all administrative accounts with strong, unique passwords and enforce periodic password changes to reduce the risk of credential compromise"], "summary": {"action": "Patch Now", "impact": "Remote authentication abuse"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Eclipse OpenMQ, as defined by its CNA. No specific version range is listed; it applies to all currently shipped versions that include the imqbrokerd management service with the default admin account left enabled without a forced password change.", "description_and_impact": "Eclipse OpenMQ exposes a TCP\u2011based management service that requires authentication. The package ships with a default administrative account, username and password both set to 'admin', and the system does not enforce a mandatory password change on first use. After a successful login, the server continues to accept these default credentials indefinitely, giving an attacker who can reach the service port a persistent administrative session and full control of the management protocol.", "risk_and_exploitability": "The CVSS base score is 9.8, indicating critical severity. The EPSS score is less than 1%, implying that exploitation has been rare to date, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is remote and network\u2011based; an attacker with access to the management service port can authenticate with the default credentials and perform any administrative task defined by the protocol, including user management, configuration changes, and data exposure. Because the default account remains valid indefinitely, the opportunity for exploitation remains broad as long as the service is left enabled without credential changes."}}}}, "created": "2026-03-04T14:54:28.497297+00:00", "title": "Default Credentials Persist in Eclipse OpenMQ TCP Management Service Allowing Remote Administration", "updated": "2026-04-16T14:15:28.804212+00:00", "vendors": ["eclipse", "eclipse$PRODUCT$openmq"]}