Oracle OpenMQ has a default admin account with no password change required

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

Oracle OpenMQ has a default admin account with no password change required

CVE-2026-22886

Summary

OpenMQ's default admin account can be accessed without a password, allowing an attacker to gain full control of the system if the management service is left enabled in a production environment. To prevent this, change the default admin password as soon as possible and ensure the service is only accessible from trusted locations. Regularly review and update admin credentials to maintain system security.

Original title

Original description

OpenMQ exposes a TCP-based management service (imqbrokerd) that by default requires
authentication. However, the product ships with a default administrative account (admin/
admin) and does not enforce a mandatory password change on first use. After the first
successful login, the server continues to accept the default password indefinitely without
warning or enforcement.

In real-world deployments, this service is often left enabled without changing the default
credentials. As a result, a remote attacker with access to the service port could authenticate
as an administrator and gain full control of the protocol’s administrative features.

nvd CVSS3.1 9.8

Vulnerability type

CWE-1391

CWE-1392

CWE-1393

https://gitlab.eclipse.org/security/cve-assignment/-/issues/85

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026