Skip to main content

Apache ActiveMQ Artemis CVE-2026-27446

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-03-04 security@apache.org GHSA-fw88-pf9m-p947
9.3
CVSS 4.0 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
9.1 HIGH
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 12, 2026 - 13:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 13:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
CVE Published
Mar 04, 2026 - 09:15 nvd
CRITICAL 9.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 69 maven packages depend on org.apache.activemq:artemis-server (31 direct, 38 indirect)
  • 27 maven packages depend on org.apache.artemis:artemis-server (16 direct, 11 indirect)

Ecosystem-wide dependent count for version 2.11.0 and other introduced versions.

DescriptionCVE.org

Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:

  • incoming Core protocol connections from untrusted sources to the broker
  • outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

  • Apache Artemis from 2.50.0 through 2.51.0
  • Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.

The issue can be mitigated by either of the following:

  • Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.
  • Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

AnalysisAI

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.

Technical ContextAI

Apache ActiveMQ Artemis implements the Core protocol for messaging federation, allowing brokers to establish connections for distributed message routing. The vulnerability stems from missing authentication on the Core protocol handler (CWE-306), specifically when the broker accepts Core protocol connections via acceptors (default 'artemis' acceptor on port 61616). The CPE data identifies two affected product lines: Apache ActiveMQ Artemis (2.11.0-2.44.0) and the newer Apache Artemis rebrand (2.50.0-2.51.0). The Core protocol's federation feature, designed for legitimate inter-broker communication, lacks proper authentication checks before establishing outbound federation connections when triggered by untrusted remote clients. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms network-based exploitation requiring no authentication or user interaction, though the dual-direction connection requirement (both accepting and initiating Core connections to untrusted targets) adds deployment-specific nuance not fully captured in the base score.

RemediationAI

Upgrade to Apache Artemis version 2.52.0, which contains the authentication fix (confirmed by vendor advisory at https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg). Red Hat customers should apply RHSA-2026:3955 or RHSA-2026:3957 as appropriate. If immediate patching is not feasible, implement one of two compensating controls: (1) Disable Core protocol support on acceptors receiving untrusted connections by modifying the 'protocols' URL parameter on the 'artemis' acceptor (default port 61616) to exclude Core protocol-this prevents the vulnerable code path but breaks legitimate Core protocol clients; or (2) Enforce mutual TLS (two-way SSL) requiring client certificate authentication on all acceptors, which prevents unauthenticated exploitation but requires PKI infrastructure and client certificate distribution. Network-level controls like restricting inbound access to port 61616 to trusted sources OR blocking outbound Core protocol connections to untrusted destinations will also break the exploitation chain, though defense-in-depth suggests combining network controls with protocol-level mitigations. Siemens-specific guidance is available at https://cert-portal.siemens.com/productcert/html/ssa-085541.html.

Vendor StatusVendor

Share

CVE-2026-27446 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy