GHSA-rf99-f9j2-gv3f
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 3 maven packages depend on org.apache.artemis:artemis-stomp-protocol (1 direct, 2 indirect)
Ecosystem-wide dependent count for version 2.50.0.
Description PRE-NVD
AnalysisAI
Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.
Technical ContextAI
Apache ActiveMQ Artemis is an asynchronous messaging broker implementing JMS and multiple wire protocols including STOMP (Streaming Text Orientated Messaging Protocol), a lightweight text-based messaging protocol. The vulnerability root cause is CWE-863 (Incorrect Authorization) - the broker fails to enforce adequate authorization checks when a STOMP client issues commands that update the routing-type of an address. In Artemis, address routing-type governs whether messages are delivered via ANYCAST (point-to-point queuing) or MULTICAST (publish-subscribe topic semantics). Unauthorized modification of this attribute can subvert the intended message delivery model. Affected CPEs are cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:* covering versions 2.0.0 through 2.44.0, and cpe:2.3:a:apache:artemis:*:*:*:*:*:*:*:* covering 2.50.0 through 2.53.0. The JIRA tracker reference is ARTEMIS-5996.
RemediationAI
Upgrade Apache ActiveMQ Artemis to a version above 2.44.0 and Apache Artemis to a version above 2.53.0; the precise patched release versions are not independently confirmed from the available input data - consult the official Apache Artemis release page and the mailing list thread at https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl7jkmm4c for the authoritative fixed version. As a compensating control where immediate upgrade is not possible, restrict STOMP protocol listener access to trusted network segments via firewall rules or broker-level access control lists, preventing untrusted low-privilege clients from reaching the STOMP endpoint entirely - this eliminates the attack surface at the cost of reducing STOMP client reach. Alternatively, enforce stricter role-based access control policies within Artemis to limit which authenticated users can perform address management operations, though this requires careful policy review to avoid breaking legitimate broker administration workflows.
More in Activemq Artemis
View allUnauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0)
The getObject method of the javax.jms.ObjectMessage class in the (1) JMS Core client, (2) Artemis broker, and (3) Artemi
Insertion of Sensitive Information into Log File vulnerability in Apache ActiveMQ Artemis. Rated medium severity (CVSS 6
A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue pe
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32894