Apache ActiveMQ Artemis
CVE-2026-27446
CRITICAL
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 69 maven packages depend on org.apache.activemq:artemis-server (31 direct, 38 indirect)
- 27 maven packages depend on org.apache.artemis:artemis-server (16 direct, 11 indirect)
Ecosystem-wide dependent count for version 2.11.0 and other introduced versions.
DescriptionCVE.org
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:
- incoming Core protocol connections from untrusted sources to the broker
- outgoing Core protocol connections from the broker to untrusted targets
This issue affects:
- Apache Artemis from 2.50.0 through 2.51.0
- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.
Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.
The issue can be mitigated by either of the following:
- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.
- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.
AnalysisAI
Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.
Technical ContextAI
Apache ActiveMQ Artemis implements the Core protocol for messaging federation, allowing brokers to establish connections for distributed message routing. The vulnerability stems from missing authentication on the Core protocol handler (CWE-306), specifically when the broker accepts Core protocol connections via acceptors (default 'artemis' acceptor on port 61616). The CPE data identifies two affected product lines: Apache ActiveMQ Artemis (2.11.0-2.44.0) and the newer Apache Artemis rebrand (2.50.0-2.51.0). The Core protocol's federation feature, designed for legitimate inter-broker communication, lacks proper authentication checks before establishing outbound federation connections when triggered by untrusted remote clients. The CVSS 4.0 vector (AV:N/AC:L/PR:N) confirms network-based exploitation requiring no authentication or user interaction, though the dual-direction connection requirement (both accepting and initiating Core connections to untrusted targets) adds deployment-specific nuance not fully captured in the base score.
RemediationAI
Upgrade to Apache Artemis version 2.52.0, which contains the authentication fix (confirmed by vendor advisory at https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fqlzoc8gg). Red Hat customers should apply RHSA-2026:3955 or RHSA-2026:3957 as appropriate. If immediate patching is not feasible, implement one of two compensating controls: (1) Disable Core protocol support on acceptors receiving untrusted connections by modifying the 'protocols' URL parameter on the 'artemis' acceptor (default port 61616) to exclude Core protocol-this prevents the vulnerable code path but breaks legitimate Core protocol clients; or (2) Enforce mutual TLS (two-way SSL) requiring client certificate authentication on all acceptors, which prevents unauthenticated exploitation but requires PKI infrastructure and client certificate distribution. Network-level controls like restricting inbound access to port 61616 to trusted sources OR blocking outbound Core protocol connections to untrusted destinations will also break the exploitation chain, though defense-in-depth suggests combining network controls with protocol-level mitigations. Siemens-specific guidance is available at https://cert-portal.siemens.com/productcert/html/ssa-085541.html.
More in Activemq Artemis
View allThe getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemi
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6
Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing
A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue pe
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-fw88-pf9m-p947