Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability...

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

AI Analysis

Incorrect default permissions in Apache ActiveMQ allow low-privilege users to execute broker management operations.

Basic Information

ID CVE-2026-49157

Source apache

Published Jun 1, 2026 at 07:20

Modified Jun 1, 2026 at 14:42

Affected Product

Vendor Apache Software Foundation

Product Apache ActiveMQ

Affected Versions Apache Software Foundation Apache ActiveMQ 0
Apache Software Foundation Apache ActiveMQ 6.0.0

CWE Classification

CWE-276

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Apache Foundation

Product Apache ActiveMQ

Version before 5.19.7, from 6.0.0 before 6.2.6

References

lists.apache.org /thread/rrcsf6s90hj4tdh89nvkko75q5505rj8

{
    "lastseen": "",
    "description": "Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.",
    "published": "2026-06-01T07:20:10.862Z",
    "modified": "2026-06-01T14:42:33.386Z",
    "type": "cve",
    "title": "Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default",
    "source": "apache",
    "references": "https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8",
    "id": "CVE-2026-49157",
    "bulletinFamily": "",
    "cwe": [
        "CWE-276"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache ActiveMQ 0\nApache Software Foundation Apache ActiveMQ 6.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache ActiveMQ",
    "version": "0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Incorrect default permissions in Apache ActiveMQ allow low-privilege users to execute broker management operations.",
    "ai_severity": "High",
    "ai_vendor": "Apache Foundation",
    "ai_product": "Apache ActiveMQ",
    "ai_version": "before 5.19.7, from 6.0.0 before 6.2.6",
    "ai_score": 8.8
}

Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default_CVE-2026-49157