CVE 4.3 MEDIUM

Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission_CVE-2026-40914

May 29, 2026 invoker category_cve
4.3 / 10
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.



This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.54.0, which fixes the issue.

Basic Information

ID CVE-2026-40914
Source apache
Published May 28, 2026 at 12:28
Modified May 29, 2026 at 18:55

Affected Product

Vendor Apache Software Foundation
Product Apache Artemis Stomp Protocol
Version 2.50.0
Affected Versions Apache Software Foundation Apache Artemis Stomp Protocol 2.50.0
Apache Software Foundation Apache ActiveMQ Artemis Stomp Protocol 2.0.0

CWE Classification

CWE-863

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.