CVE-2026-49157

EUVD-2026-33574

01.06.2026, 09:16

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
apache	activemq	𝑥 < 5.19.7
apache	activemq	6.0.0 ≤ 𝑥 < 6.2.6

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

activemq

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
sid	vulnerable
trixie	vulnerable

Common Weakness Enumeration

CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.

Vulnerability Media Exposure

[GERMAN] Apache ActiveMQ: Mehrere Schwachstellen
Ein Angreifer kann mehrere Schwachstellen in Apache ActiveMQ ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Informationen offenzulegen, seine Rechte zu erweitern, Daten zu manipulieren und Code auszuführen.
Published: 2026-05-31T22:00:00+00:00

References

https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8

http://www.openwall.com/lists/oss-security/2026/05/31/21