CVE 2.3 LOW

Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission_CVE-2026-32642

April 12, 2026 invoker category_cve
2.3 / 10
LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.

This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.53.0, which fixes the issue.

Basic Information

ID CVE-2026-32642
Source apache
Published Mar 24, 2026 at 07:53
Modified Mar 24, 2026 at 14:13

Affected Product

Vendor Apache Software Foundation
Product Apache Artemis
Version 2.50.0
Affected Versions Apache Software Foundation Apache Artemis 2.50.0
Apache Software Foundation Apache ActiveMQ Artemis 2.0.0

CWE Classification

CWE-863

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.