CVE-2026-49157
HIGH
CVSS 8.8
No EPSS data
Description
Incorrect Default Permissions vulnerability in Apache ActiveMQ.
This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.
The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.
Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-49157",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 8.8,
"attackVector": "NETWORK",
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "LOW",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 2.8
}
]
},
"published": "2026-06-01T09:16:20.427",
"references": [
{
"url": "https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"source": "security@apache.org"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/05/31/21",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"source": "af854a3a-2127-422b-91ae-364da2661108"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Secondary",
"source": "security@apache.org",
"description": [
{
"lang": "en",
"value": "CWE-276"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue."
}
],
"lastModified": "2026-06-01T17:09:59.100",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "793E68E6-9024-4518-B062-42B2DE5BB555",
"versionEndExcluding": "5.19.7"
},
{
"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FFF44DB9-1850-4B5F-AD0F-55CB5219AB22",
"versionEndExcluding": "6.2.6",
"versionStartIncluding": "6.0.0"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security@apache.org"
}
}