CVE-2026-22886

{"id": "CVE-2026-22886", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-22886", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-03-03T14:51:17.610064Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "emo@eclipse.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "affected": [{"source": "emo@eclipse.org", "affectedData": [{"repo": "https://github.com/eclipse-ee4j/openmq", "vendor": "Eclipse Foundation", "product": "Eclipse OpenMQ", "versions": [{"status": "affected", "version": "0"}], "defaultStatus": "unaffected"}]}], "published": "2026-03-03T10:16:06.267", "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/85", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "emo@eclipse.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "emo@eclipse.org", "description": [{"lang": "en", "value": "CWE-1391"}, {"lang": "en", "value": "CWE-1392"}, {"lang": "en", "value": "CWE-1393"}]}], "descriptions": [{"lang": "en", "value": "OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires\nauthentication. However, the product ships with a default administrative account (admin/\nadmin) and does not enforce a mandatory password change on first use. After the first\nsuccessful login, the server continues to accept the default password indefinitely without\nwarning or enforcement.\n\n\nIn real-world deployments, this service is often left enabled without changing the default\ncredentials. As a result, a remote attacker with access to the service port could authenticate\nas an administrator and gain full control of the protocol\u2019s administrative features."}, {"lang": "es", "value": "OpenMQ expone un servicio de gesti\u00f3n basado en TCP (imqbrokerd) que por defecto requiere autenticaci\u00f3n. Sin embargo, el producto se env\u00eda con una cuenta administrativa por defecto (admin/admin) y no impone un cambio de contrase\u00f1a obligatorio en el primer uso. Despu\u00e9s del primer inicio de sesi\u00f3n exitoso, el servidor contin\u00faa aceptando la contrase\u00f1a por defecto indefinidamente sin advertencia ni imposici\u00f3n.\n\nEn implementaciones del mundo real, este servicio a menudo se deja habilitado sin cambiar las credenciales por defecto. Como resultado, un atacante remoto con acceso al puerto del servicio podr\u00eda autenticarse como administrador y obtener control total de las caracter\u00edsticas administrativas del protocolo."}], "lastModified": "2026-06-17T10:20:33.720", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24992257-6690-46E1-962A-2D9CE0815B85"}], "operator": "OR"}]}], "sourceIdentifier": "emo@eclipse.org"}