Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.
Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6.
Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
AnalysisAI
Unauthenticated information disclosure in Apache ActiveMQ Broker allows remote attackers to enumerate all durable topic subscriptions - including client identifiers, subscription names, topic destinations, and JMS selector expressions - by sending a BrokerInfo command to a broker with syncDurableSubs enabled on a network connector. The broker incorrectly skips authentication before servicing the BrokerInfo request, exposing sensitive messaging infrastructure metadata. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target Apache ActiveMQ broker has a network connector explicitly configured with syncDurableSubs set to true - this is a non-default configuration that must be deliberately enabled by an administrator. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.9 Medium score reflects a nuanced risk profile: AV:N confirms network reachability, PR:N confirms no credentials are required, and UI:N means no victim interaction is needed - all factors that favor exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has identified a publicly reachable Apache ActiveMQ broker with a network connector configured with syncDurableSubs=true connects via the OpenWire protocol and sends a BrokerInfo command without providing any credentials. The broker, failing to enforce authentication before processing the request, responds with a full enumeration of durable topic subscriptions, revealing client identifiers, subscription names, topic destinations, and JMS selector expressions that map the internal messaging architecture. … |
| Remediation | Vendor-released patch: upgrade to Apache ActiveMQ 6.2.6 (for the 6.x line) or 5.19.7 (for the 5.x line), as recommended by the Apache security advisory at https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33573
GHSA-hf52-78x8-6w3w