Eclipse OpenMQ Ships With Critical Default Admin Credentials

Eclipse OpenMQ, a popular open-source Java messaging system, ships with default administrative credentials that allow remote attackers to take full control of the message broker. CVE-2026-22886, disclosed today with a CVSS score of 9.8, affects all OpenMQ installations that haven't explicitly changed the default admin/admin password.

The vulnerability is embarrassingly simple. OpenMQ's TCP-based management service (imqbrokerd) ships with a preconfigured administrative account using "admin" as both username and password. The product doesn't require or prompt administrators to change this during installation. Anyone who can reach the management port can authenticate and gain full control.

The Problem With Default Credentials

Default credentials are a known anti-pattern, yet they persist across enterprise software. OpenMQ's case is particularly concerning because message brokers often handle sensitive application data—transaction records, user notifications, internal system commands.

An attacker who gains admin access to the message broker can:

• Read all messages passing through the system
• Inject malicious messages into queues consumed by other applications
• Modify routing rules to redirect traffic
• Create new accounts for persistent access
• Shut down the broker causing denial of service

Message queues frequently serve as the backbone of microservices architectures. Compromising the broker means compromising the communication layer that applications trust implicitly. The supply chain attack patterns we've seen increasingly target exactly this kind of trusted infrastructure.

Who's Affected

OpenMQ is the reference implementation for Jakarta Messaging (formerly Java Message Service) and comes bundled with GlassFish application server. Organizations running Java enterprise applications, particularly those built on Jakarta EE or older J2EE platforms, may be using OpenMQ without realizing it.

The vulnerability affects:

• Standalone OpenMQ installations
• GlassFish deployments using the bundled message broker
• Applications using OpenMQ through embedded mode
• Any environment where the management service is network-accessible

Production deployments that followed the common pattern of "install and configure later" are at highest risk. Development and test environments are also vulnerable—and attackers routinely pivot from dev systems to production.

Exposure Assessment

Before panicking, check whether your OpenMQ installations are actually exposed:

1. Locate the management port - OpenMQ's admin service defaults to port 7676
2. Check network accessibility - Is port 7676 reachable from untrusted networks?
3. Verify credential state - Can you authenticate with admin/admin?

If the management port is only accessible from localhost or a trusted management network, your exposure is limited to internal threats. If it's internet-facing or accessible across network segments without authentication controls, treat this as an active emergency.

No public exploits have been reported yet, but the attack requires zero skill. Any scanner that checks for default credentials will find vulnerable OpenMQ instances.

Immediate Mitigations

If you can't immediately patch or change credentials, these steps reduce exposure:

1. Firewall the management port - Block port 7676 from all untrusted sources
2. Bind to localhost only - Reconfigure imqbrokerd to listen only on 127.0.0.1
3. Disable the admin service if not needed for operations
4. Change the default password - Even a temporary password blocks the trivial attack

The Eclipse Foundation recommends changing default credentials as the primary fix. Update the broker configuration to use strong, unique passwords for all administrative accounts.

Why This Keeps Happening

Default credentials shouldn't exist in 2026, yet here we are. The WEGIA CVE-2026-28408 authentication bypass disclosed last week showed similar patterns—systems shipping with inadequate default security configurations that attackers trivially exploit.

The root cause is user experience optimization that prioritizes easy initial setup over security. Developers want software that "just works" out of the box. Security practitioners want mandatory credential changes during installation. Those goals conflict, and convenience usually wins. Similar oversights have affected enterprise tools like Redis, where default configurations enabled remote code execution.

Eclipse OpenMQ's documentation mentions changing default credentials but doesn't enforce it. Many organizations deploy software based on quick-start guides without reading the security hardening sections. The result is production systems running with the same credentials as the tutorial examples.

Detection and Response

Organizations should scan for vulnerable OpenMQ installations across their environment. Look for:

• TCP port 7676 listening on network interfaces
• Processes named imqbrokerd
• GlassFish installations that may include OpenMQ
• Java applications with OpenMQ dependencies

If you find exposed instances, check authentication logs for suspicious access. An attacker who already discovered your vulnerable broker may have established persistence before you noticed the vulnerability.

For ongoing protection, add default credential checks to your vulnerability management program. Tools like Nessus and Qualys include plugins for common default credential pairs. The bigger challenge is catching application-specific defaults like OpenMQ's admin/admin that generic scanners might miss.