Skip to main content

Apache ActiveMQ EUVDEUVD-2026-33574

| CVE-2026-49157 HIGH
Incorrect Default Permissions (CWE-276)
2026-06-01 security@apache.org GHSA-99qx-5qqr-4j95
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Generated
Jun 01, 2026 - 15:23 vuln.today
CVSS changed
Jun 01, 2026 - 15:22 NVD
8.8 (HIGH)
Patch available
Jun 01, 2026 - 10:01 EUVD
CVE Published
Jun 01, 2026 - 09:16 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 01, 2026 - 09:16 nvd
HIGH 8.8

DescriptionCVE.org

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

AnalysisAI

Privilege escalation in Apache ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5 allows authenticated low-privilege web-login users to invoke administrative Jolokia operations such as addQueue and removeQueue due to overly permissive default authorization settings. The CVSS 8.8 score reflects high impact on confidentiality, integrity, and availability, though EPSS exploitation probability sits at just 0.01% and no public exploit identified at time of analysis. The flaw effectively collapses the broker's privilege boundary between normal web users and administrators.

Technical ContextAI

Apache ActiveMQ is a widely deployed open-source message broker implementing JMS, AMQP, MQTT, and STOMP protocols. It exposes a management interface via Jolokia, a JMX-HTTP bridge that allows JMX MBean operations to be invoked over REST. The vulnerability is rooted in CWE-276 (Incorrect Default Permissions): the shipped Jolokia authorization policy did not properly restrict sensitive MBean operations (such as addQueue and removeQueue on broker management beans) to administrative roles, instead inheriting permissions that allowed any authenticated web-login user to invoke them. This is a configuration/policy defect in the access-control mapping rather than a memory-safety or injection bug.

RemediationAI

Vendor-released patch: upgrade to Apache ActiveMQ 6.2.6 (for the 6.x line) or 5.19.7 (for the 5.x line), which correct the default Jolokia authorization policy as described in the Apache advisory at https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8. Where immediate upgrade is not feasible, restrict the Jolokia endpoint by tightening jolokia-access.xml or the policy file to require an explicit admin role for management MBeans (notably addQueue, removeQueue, and similar broker operations), or front the Jolokia path with an authenticating reverse proxy that allows only admin users - the side effect is that legitimate non-admin monitoring queries through Jolokia will also be denied. As an additional control, audit existing low-privilege web-login accounts and remove any that are no longer needed, since exploitation requires a valid credential.

Share

EUVD-2026-33574 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy