Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable Web Console (AV:N) abused by any logged-in low-privilege user (PR:L) with no interaction; admin access yields high confidentiality and integrity impact but no availability loss.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
Improper Authorization vulnerability in Apache ActiveMQ.
An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.
Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.
Articles & Coverage 1
AnalysisAI
Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) a reachable Apache ActiveMQ Web Console running an affected version (before 5.19.8 or 6.0.0-6.2.6), and (2) valid credentials for any low-privilege Web Console user - by the vendor's own description this is the default behavior, so no special non-default feature toggle is needed; the insecure default Jetty path restriction is the enabling condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1) indicates a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality and integrity impact but no availability impact - consistent with an authenticated user crossing into admin functions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or obtains low-privilege Web Console credentials (for example a read-only monitoring account) simply browses to an /admin/* URL and is granted administrative Web Console access that the default Jetty rules failed to block. With AV:N/AC:L and no user interaction, this requires only network reach to the console and one valid low-tier login. … |
| Remediation | Vendor-released patch: upgrade to Apache ActiveMQ 6.2.7 (for the 6.x line) or 5.19.8 (for older releases), which correct the Jetty path restrictions; see the Apache advisory at https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache ActiveMQ instances and document deployed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Activemq
View allRemote code execution in Apache ActiveMQ Classic versions before 5.19.5 and 6.0.0-6.2.2 allows authenticated attackers t
Remote code execution in Apache ActiveMQ 5.x (before 5.19.6) and 6.x (before 6.2.5) allows authenticated attackers to by
Remote code execution in Apache ActiveMQ allows authenticated attackers with admin console access to inject malicious Sp
Denial-of-service in Apache ActiveMQ STOMP connectors lets a remote peer that can reach an exposed STOMP port crash or e
Denial of service in Apache ActiveMQ (Client, broker, and All distributions) before 5.19.8 and 6.x before 6.2.7 lets a r
Remote denial of service in Apache ActiveMQ (versions 5.19.7 and 6.2.6) allows an unauthenticated attacker to exhaust br
Improper input validation in Apache ActiveMQ lets an attacker who can write or modify LDAP entries matching the broker's
Out-of-memory denial of service in Apache ActiveMQ allows unauthenticated remote attackers to exhaust broker memory via
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40283
GHSA-f892-4h9f-j7g9