Skip to main content

Apache ActiveMQ EUVDEUVD-2026-33573

| CVE-2026-49270 MEDIUM
Exposure of Sensitive Information Through Metadata (CWE-1230)
2026-06-01 security@apache.org GHSA-hf52-78x8-6w3w
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jun 01, 2026 - 15:25 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
5.9 (MEDIUM)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 09:16 nvd
MEDIUM 5.9

DescriptionCVE.org

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All.

Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

AnalysisAI

Unauthenticated information disclosure in Apache ActiveMQ Broker allows remote attackers to enumerate all durable topic subscriptions - including client identifiers, subscription names, topic destinations, and JMS selector expressions - by sending a BrokerInfo command to a broker with syncDurableSubs enabled on a network connector. The broker incorrectly skips authentication before servicing the BrokerInfo request, exposing sensitive messaging infrastructure metadata. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify ActiveMQ broker with OpenWire port exposed
Delivery
Confirm syncDurableSubs network connector configuration (via banner or trial)
Exploit
Send unauthenticated BrokerInfo command over OpenWire
Execution
Broker skips auth check and responds
Persist
Harvest durable subscription metadata (client IDs, topics, selectors)
Impact
Use topology data to inform follow-on messaging attacks

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Apache ActiveMQ broker has a network connector explicitly configured with syncDurableSubs set to true - this is a non-default configuration that must be deliberately enabled by an administrator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.9 Medium score reflects a nuanced risk profile: AV:N confirms network reachability, PR:N confirms no credentials are required, and UI:N means no victim interaction is needed - all factors that favor exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has identified a publicly reachable Apache ActiveMQ broker with a network connector configured with syncDurableSubs=true connects via the OpenWire protocol and sends a BrokerInfo command without providing any credentials. The broker, failing to enforce authentication before processing the request, responds with a full enumeration of durable topic subscriptions, revealing client identifiers, subscription names, topic destinations, and JMS selector expressions that map the internal messaging architecture. …
Remediation Vendor-released patch: upgrade to Apache ActiveMQ 6.2.6 (for the 6.x line) or 5.19.7 (for the 5.x line), as recommended by the Apache security advisory at https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86d4v2fr2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33573 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy