Skip to main content

Artemis

11 CVEs product

Monthly

CVE-2026-40914 Maven MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins Authentication Bypass Denial Of Service +2
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-27446 Maven CRITICAL PATCH CISA GHSA Act Now

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.

Apache Authentication Bypass Activemq Artemis Artemis
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2023-50780 Maven HIGH PATCH This Week

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Artemis
NVD VulDB
CVSS 3.1
8.8
EPSS
2.1%
CVE-2021-4040 Maven MEDIUM PATCH This Month

A flaw was found in AMQ Broker. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Amq Broker Artemis
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
8.8%
CVE-2022-35278 Maven MEDIUM PATCH This Month

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XSS Artemis Active Iq Unified Manager Oncommand Workflow Automation
NVD VulDB
CVSS 3.1
6.1
EPSS
7.9%
CVE-2022-23913 Maven HIGH POC PATCH GHSA This Week

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Apache Artemis Active Iq Unified Manager Oncommand Workflow Automation
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2021-26118 Maven HIGH PATCH GHSA This Week

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Artemis Oncommand Workflow Automation
NVD VulDB
CVSS 3.1
7.5
EPSS
1.0%
CVE-2021-26117 Maven HIGH PATCH This Week

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Activemq Artemis Oncommand Workflow Automation +5
NVD VulDB
CVSS 3.1
7.5
EPSS
9.9%
CVE-2020-13932 Maven MEDIUM PATCH This Month

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Artemis
NVD VulDB
CVSS 3.1
6.1
EPSS
2.6%
CVE-2020-10727 Maven MEDIUM PATCH This Month

A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Artemis Oncommand Workflow Automation
NVD VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2017-12174 Maven HIGH PATCH This Week

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Artemis Hornetq Jboss Enterprise Application Platform
NVD VulDB
CVSS 3.1
7.5
EPSS
7.4%
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Incorrect authorization in Apache ActiveMQ Artemis allows authenticated STOMP protocol clients to modify address routing-type settings without sufficient privilege checks. Affects Artemis versions through 2.44.0 and 2.53.0 respectively, the flaw (CWE-863) permits low-privileged network users to alter broker address routing configuration, impacting message routing integrity. No public exploit code has been identified at time of analysis, and CISA KEV listing is absent, placing this in a monitor-and-patch priority tier rather than emergency response.

Apache Command Injection Jenkins +4
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Unauthenticated remote attackers can exploit Apache ActiveMQ Artemis (2.11.0-2.44.0) and Apache Artemis (2.50.0-2.51.0) to force brokers into establishing malicious Core protocol federation connections. This missing authentication (CWE-306) enables both message injection into any queue and exfiltration from any queue via attacker-controlled rogue brokers. Exploitation requires environments allowing untrusted Core protocol connections (default port 61616) in both inbound and outbound directions. EPSS score of 0.20% suggests low current exploitation probability, and no CISA KEV listing exists, indicating this is not yet widely exploited despite the critical CVSS 9.3 score. Vendor patch available in version 2.52.0.

Apache Authentication Bypass Activemq Artemis +1
NVD VulDB
EPSS 2% CVSS 8.8
HIGH PATCH This Week

Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Apache Authentication Bypass Artemis
NVD VulDB
EPSS 9% CVSS 5.3
MEDIUM PATCH This Month

A flaw was found in AMQ Broker. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Amq Broker Artemis
NVD GitHub VulDB
EPSS 8% CVSS 6.1
MEDIUM PATCH This Month

In Apache ActiveMQ Artemis prior to 2.24.0, an attacker could show malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache XSS Artemis +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

In Apache ActiveMQ Artemis prior to 2.20.0 or 2.19.1, an attacker could partially disrupt availability (DoS) through uncontrolled resource consumption of memory. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Apache Artemis +2
NVD VulDB
EPSS 1% CVSS 7.5
HIGH PATCH This Week

While investigating ARTEMIS-2964 it was found that the creation of advisory messages in the OpenWire protocol head of Apache ActiveMQ Artemis 2.15.0 bypassed policy based access control for the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Apache Authentication Bypass Artemis +1
NVD VulDB
EPSS 10% CVSS 7.5
HIGH PATCH This Week

The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Apache Authentication Bypass Activemq +7
NVD VulDB
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

In Apache ActiveMQ Artemis 2.5.0 to 2.13.0, a specially crafted MQTT packet which has an XSS payload as client-id or topic name can exploit this vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

Apache XSS Artemis
NVD VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in ActiveMQ Artemis management API from version 2.7.0 up until 2.12.0, where a user inadvertently stores passwords in plaintext in the Artemis shadow file. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity.

Information Disclosure Artemis Oncommand Workflow Automation
NVD VulDB
EPSS 7% CVSS 7.5
HIGH PATCH This Week

It was found that when Artemis and HornetQ before 2.4.0 are configured with UDP discovery and JGroups discovery a huge byte array is created when receiving an unexpected multicast message. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Artemis Hornetq +1
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy