Skip to main content

Apache ActiveMQ EUVDEUVD-2026-40283

| CVE-2026-49877 HIGH
Improper Authorization (CWE-285)
2026-06-30 apache GHSA-f892-4h9f-j7g9
8.1
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable Web Console (AV:N) abused by any logged-in low-privilege user (PR:L) with no interaction; admin access yields high confidentiality and integrity impact but no availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jun 30, 2026 - 13:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 13:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 30, 2026 - 13:22 NVD
8.1 (HIGH)
Patch available
Jun 30, 2026 - 12:01 EUVD
Analysis Generated
Jun 30, 2026 - 11:16 vuln.today

DescriptionCVE.org

Improper Authorization vulnerability in Apache ActiveMQ.

An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

AnalysisAI

Privilege escalation via improper authorization in Apache ActiveMQ before 5.19.8 and 6.0.0 before 6.2.7 lets an authenticated low-privilege Web Console user reach the administrative /admin/* paths that should be restricted to administrators. The flaw stems from default Jetty configuration that failed to scope those paths to admin roles, granting low-priv users administrative Web Console functionality. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Web Console user
Delivery
Request restricted /admin/* path
Exploit
Default Jetty rules fail to block
Execution
Gain administrative Web Console access
Impact
Manage broker as admin

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a reachable Apache ActiveMQ Web Console running an affected version (before 5.19.8 or 6.0.0-6.2.6), and (2) valid credentials for any low-privilege Web Console user - by the vendor's own description this is the default behavior, so no special non-default feature toggle is needed; the insecure default Jetty path restriction is the enabling condition. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, base 8.1) indicates a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high confidentiality and integrity impact but no availability impact - consistent with an authenticated user crossing into admin functions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or obtains low-privilege Web Console credentials (for example a read-only monitoring account) simply browses to an /admin/* URL and is granted administrative Web Console access that the default Jetty rules failed to block. With AV:N/AC:L and no user interaction, this requires only network reach to the console and one valid low-tier login. …
Remediation Vendor-released patch: upgrade to Apache ActiveMQ 6.2.7 (for the 6.x line) or 5.19.8 (for older releases), which correct the Jetty path restrictions; see the Apache advisory at https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apache ActiveMQ instances and document deployed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy