Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
5DescriptionCVE.org
Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.
This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
AnalysisAI
Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.
Technical ContextAI
Apache ActiveMQ is a widely-deployed open-source message broker supporting multiple messaging protocols including OpenWire, AMQP, MQTT, and STOMP. 'Destinations' in ActiveMQ are the named queues and topics that producers publish to and consumers subscribe from - deleting a destination disrupts all in-flight and pending message flows dependent on it. The broker's authorization framework is intended to control which authenticated principals can create, read, write to, or administer (including remove) each destination. CWE-285 (Improper Authorization) identifies the root cause: the broker performs an authentication check but the subsequent authorization check for the destination-removal operation is incomplete, allowing an authenticated session to succeed without holding the required removal or admin permission for that destination. This is an authorization enforcement gap rather than an authentication bypass, despite the 'Authentication Bypass' tag in the source intelligence.
RemediationAI
Upgrade to Apache ActiveMQ v6.2.6 for 6.x deployments, or v5.19.7 for 5.x deployments - both are confirmed vendor-released patches per the Apache security announcement at https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm. If immediate upgrade is not operationally feasible, restrict broker authentication to only the minimum necessary accounts and audit destination-level ACLs to enforce least privilege, reducing the set of principals who could abuse this gap. Enabling strict authorization policies that deny-by-default for admin operations on destinations can serve as a compensating control, though its effectiveness depends on ActiveMQ version-specific ACL support. Adding monitoring or alerting on destination-deletion broker events provides a detective layer while patching is pending. Note that restricting unauthenticated access does not mitigate this vulnerability, as the flaw exists post-authentication in the authorization layer.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33575
GHSA-cpw7-g3p5-qrfq