BIT-activemq-2026-49157

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/activemq/BIT-activemq-2026-49157.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-activemq-2026-49157

Aliases

CVE-2026-49157

Published

2026-06-05T05:38:18.771Z

Modified

2026-06-05T07:45:23.835294163Z

Summary

Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

Details

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / activemq

Package

Name: activemq
Purl: pkg:bitnami/activemq

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.19.7

Introduced

6.0.0

Fixed

6.2.6

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/activemq/BIT-activemq-2026-49157.json"