Skip to main content

Apache Artemis CVE-2026-32642

| EUVDEUVD-2026-14782 LOW
Incorrect Authorization (CWE-863)
2026-03-24 apache GHSA-f4gc-mwrg-q36r
2.3
CVSS 4.0 · Vendor: apache

Severity by source

Vendor (apache) PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (apache) · only source for this CVE.

CVSS VectorVendor: apache

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 08:15 euvd
EUVD-2026-14782
Analysis Generated
Mar 24, 2026 - 08:15 vuln.today
CVE Published
Mar 24, 2026 - 07:53 nvd
LOW 2.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.apache.activemq:artemis-openwire-protocol (2 direct, 1 indirect)
  • 3 maven packages depend on org.apache.artemis:artemis-openwire-protocol (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 2.0.0 and other introduced versions.

DescriptionCVE.org

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.

This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.53.0, which fixes the issue.

AnalysisAI

An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis where the OpenWire protocol fails to properly enforce permission checks when creating non-durable JMS topic subscriptions on non-existent addresses. A user with only 'createDurableQueue' permission but lacking 'createAddress' permission can bypass authorization controls to create temporary addresses that should be denied, circumventing the intended security model when address auto-creation is disabled. This authentication bypass persists until the OpenWire connection closes and the temporary address is cleaned up.

Technical ContextAI

The vulnerability resides in the OpenWire protocol handler of Apache Artemis (versions 2.50.0-2.52.0) and Apache ActiveMQ Artemis (versions 2.0.0-2.44.0), as identified by CPE cpe:2.3:a:apache_software_foundation:apache_artemis and cpe:2.3:a:apache_software_foundation:apache_activemq_artemis. The root cause is classified as CWE-863 (Incorrect Authorization), stemming from a logic flaw in the permission validation layer. When address auto-creation is disabled, the authorization check for 'createAddress' permission should precede any subscription creation attempt; instead, the system incorrectly creates temporary addresses for non-durable topic subscriptions even when the authenticated user lacks the necessary permission to create addresses. This represents a privilege escalation vector where fine-grained permission boundaries (createDurableQueue vs createAddress) are not properly enforced at the protocol level.

RemediationAI

Upgrade Apache Artemis to version 2.53.0 or later, and upgrade Apache ActiveMQ Artemis to version 2.45.0 or later (see vendor advisory at https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtp for official guidance). Until patching is feasible, implement network-level access controls restricting OpenWire protocol access to trusted client applications and systems; enforce role-based access control policies with the principle of least privilege, ensuring users receive only the specific permissions required (e.g., avoid granting createDurableQueue without necessity); and consider enabling address auto-creation in controlled environments where address whitelist validation is feasible, or disable OpenWire protocol entirely if not essential to your architecture.

Share

CVE-2026-32642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy