CVE-2026-22886

Critical

Published: 03 March 2026

Published

03 March 2026

Modified

09 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0020 41.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires authentication. However, the product ships with a default administrative account (admin/ admin) and does not enforce a mandatory password change on first use. After the first successful login, the…

server continues to accept the default password indefinitely without warning or enforcement. In real-world deployments, this service is often left enabled without changing the default credentials. As a result, a remote attacker with access to the service port could authenticate as an administrator and gain full control of the protocol’s administrative features.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates changing default authenticators prior to first use, directly preventing exploitation of the unchanged admin/admin credentials in OpenMQ's imqbrokerd service.

AC-2 Account Management good match

prevent

AC-2 requires managing accounts throughout their lifecycle, including modifying default administrative accounts to avoid use of known credentials.

CM-6 Configuration Settings partial match

prevent

CM-6 enforces secure configuration settings that include changing default passwords and potentially disabling unnecessary management services like imqbrokerd.

Security SummaryAI

CVE-2026-22886 is a critical vulnerability in OpenMQ, specifically affecting its TCP-based management service known as imqbrokerd. The issue arises because OpenMQ ships with a default administrative account using the credentials admin/admin, and the service requires authentication by default but does not enforce a mandatory password change on first use. After the initial successful login, the server continues to accept the default password indefinitely, without any warnings or enforcement mechanisms.

A remote attacker with network access to the exposed service port can exploit this vulnerability by authenticating with the unchanged default credentials, thereby gaining full control over the broker's administrative features. In real-world deployments, the management service is often left enabled without modifying the default credentials, making exploitation straightforward. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWEs 1391, 1392, and 1393.

Mitigation details are available in the advisory referenced at https://gitlab.eclipse.org/security/cve-assignment/-/issues/85, published on 2026-03-03.

Details

CWE(s): CWE-1391 CWE-1392 CWE-1393

Affected Products

eclipse

openmq

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables use of default credentials (admin/admin) for remote authentication and full administrative access to the management service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://gitlab.eclipse.org/security/cve-assignment/-/issues/85
Issue Tracking, Vendor Advisory · emo@eclipse.org