Skip to main content

Apache ActiveMQ Artemis CVE-2026-40914

| EUVDEUVD-2026-32894 MEDIUM
Incorrect Authorization (CWE-863)
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 12:38 vuln.today
CVSS changed
May 29, 2026 - 12:37 NVD
4.3 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)
CVE Published
May 27, 2026 - 20:45 nvd
MEDIUM 4.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 maven packages depend on org.apache.artemis:artemis-stomp-protocol (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 2.50.0.

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Technical ContextAI

Apache ActiveMQ Artemis is an asynchronous messaging broker implementing JMS and multiple wire protocols including STOMP (Streaming Text Orientated Messaging Protocol), a lightweight text-based messaging protocol. The vulnerability root cause is CWE-863 (Incorrect Authorization) - the broker fails to enforce adequate authorization checks when a STOMP client issues commands that update the routing-type of an address. In Artemis, address routing-type governs whether messages are delivered via ANYCAST (point-to-point queuing) or MULTICAST (publish-subscribe topic semantics). Unauthorized modification of this attribute can subvert the intended message delivery model. Affected CPEs are cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:* covering versions 2.0.0 through 2.44.0, and cpe:2.3:a:apache:artemis:*:*:*:*:*:*:*:* covering 2.50.0 through 2.53.0. The JIRA tracker reference is ARTEMIS-5996.

RemediationAI

Upgrade Apache ActiveMQ Artemis to a version above 2.44.0 and Apache Artemis to a version above 2.53.0; the precise patched release versions are not independently confirmed from the available input data - consult the official Apache Artemis release page and the mailing list thread at https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl7jkmm4c for the authoritative fixed version. As a compensating control where immediate upgrade is not possible, restrict STOMP protocol listener access to trusted network segments via firewall rules or broker-level access control lists, preventing untrusted low-privilege clients from reaching the STOMP endpoint entirely - this eliminates the attack surface at the cost of reducing STOMP client reach. Alternatively, enforce stricter role-based access control policies within Artemis to limit which authenticated users can perform address management operations, though this requires careful policy review to avoid breaking legitimate broker administration workflows.

Share

CVE-2026-40914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy