Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (apache) · only source for this CVE.
CVSS VectorVendor: apache
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 maven packages depend on org.apache.activemq:artemis-openwire-protocol (2 direct, 1 indirect)
- 3 maven packages depend on org.apache.artemis:artemis-openwire-protocol (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 2.0.0 and other introduced versions.
DescriptionCVE.org
Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.
This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.
Users are recommended to upgrade to version 2.53.0, which fixes the issue.
AnalysisAI
An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis where the OpenWire protocol fails to properly enforce permission checks when creating non-durable JMS topic subscriptions on non-existent addresses. A user with only 'createDurableQueue' permission but lacking 'createAddress' permission can bypass authorization controls to create temporary addresses that should be denied, circumventing the intended security model when address auto-creation is disabled. This authentication bypass persists until the OpenWire connection closes and the temporary address is cleaned up.
Technical ContextAI
The vulnerability resides in the OpenWire protocol handler of Apache Artemis (versions 2.50.0-2.52.0) and Apache ActiveMQ Artemis (versions 2.0.0-2.44.0), as identified by CPE cpe:2.3:a:apache_software_foundation:apache_artemis and cpe:2.3:a:apache_software_foundation:apache_activemq_artemis. The root cause is classified as CWE-863 (Incorrect Authorization), stemming from a logic flaw in the permission validation layer. When address auto-creation is disabled, the authorization check for 'createAddress' permission should precede any subscription creation attempt; instead, the system incorrectly creates temporary addresses for non-durable topic subscriptions even when the authenticated user lacks the necessary permission to create addresses. This represents a privilege escalation vector where fine-grained permission boundaries (createDurableQueue vs createAddress) are not properly enforced at the protocol level.
RemediationAI
Upgrade Apache Artemis to version 2.53.0 or later, and upgrade Apache ActiveMQ Artemis to version 2.45.0 or later (see vendor advisory at https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtp for official guidance). Until patching is feasible, implement network-level access controls restricting OpenWire protocol access to trusted client applications and systems; enforce role-based access control policies with the principle of least privilege, ensuring users receive only the specific permissions required (e.g., avoid granting createDurableQueue without necessity); and consider enabling address auto-creation in controlled environments where address whitelist validation is feasible, or disable OpenWire protocol entirely if not essential to your architecture.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14782
GHSA-f4gc-mwrg-q36r