Skip to main content

Apache ActiveMQ CVE-2026-46605

| EUVDEUVD-2026-33575 MEDIUM
Improper Authorization (CWE-285)
2026-06-01 security@apache.org GHSA-cpw7-g3p5-qrfq
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jun 01, 2026 - 15:25 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
4.3 (MEDIUM)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 09:16 nvd
MEDIUM 4.3

DescriptionCVE.org

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.

This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.

AnalysisAI

Incomplete authorization in Apache ActiveMQ Broker allows authenticated low-privilege users to remove messaging destinations (queues and topics) beyond their granted permissions, causing targeted availability disruption to broker-connected producers and consumers. Affected versions span the 5.x line before 5.19.7 and the 6.x line from 6.0.0 before 6.2.6, covering ActiveMQ Broker and ActiveMQ All distributions. With an EPSS of 0.01% (3rd percentile), no CISA KEV listing, and no public exploit code identified, this is a low-urgency but genuine authorization control gap that is most relevant to environments with multiple untrusted authenticated broker accounts.

Technical ContextAI

Apache ActiveMQ is a widely-deployed open-source message broker supporting multiple messaging protocols including OpenWire, AMQP, MQTT, and STOMP. 'Destinations' in ActiveMQ are the named queues and topics that producers publish to and consumers subscribe from - deleting a destination disrupts all in-flight and pending message flows dependent on it. The broker's authorization framework is intended to control which authenticated principals can create, read, write to, or administer (including remove) each destination. CWE-285 (Improper Authorization) identifies the root cause: the broker performs an authentication check but the subsequent authorization check for the destination-removal operation is incomplete, allowing an authenticated session to succeed without holding the required removal or admin permission for that destination. This is an authorization enforcement gap rather than an authentication bypass, despite the 'Authentication Bypass' tag in the source intelligence.

RemediationAI

Upgrade to Apache ActiveMQ v6.2.6 for 6.x deployments, or v5.19.7 for 5.x deployments - both are confirmed vendor-released patches per the Apache security announcement at https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm. If immediate upgrade is not operationally feasible, restrict broker authentication to only the minimum necessary accounts and audit destination-level ACLs to enforce least privilege, reducing the set of principals who could abuse this gap. Enabling strict authorization policies that deny-by-default for admin operations on destinations can serve as a compensating control, though its effectiveness depends on ActiveMQ version-specific ACL support. Adding monitoring or alerting on destination-deletion broker events provides a detective layer while patching is pending. Note that restricting unauthenticated access does not mitigate this vulnerability, as the flaw exists post-authentication in the authorization layer.

Share

CVE-2026-46605 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy