CVE-2026-49157

Source
https://cve.org/CVERecord?id=CVE-2026-49157
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49157.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-49157
Aliases
Downstream
Published
2026-06-01T07:20:10.862Z
Modified
2026-07-15T01:49:05.838075392Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default
Details

Incorrect Default Permissions vulnerability in Apache ActiveMQ.

This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.

Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Database specific
{
    "cna_assigner": "apache",
    "cwe_ids": [
        "CWE-276"
    ],
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "fixed": "5.19.7"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.6"
                }
            ]
        },
        {
            "source": "DESCRIPTION",
            "extracted_events": [
                {
                    "fixed": "5.19.7"
                },
                {
                    "introduced": "6.0.0"
                },
                {
                    "fixed": "6.2.6"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49157.json"
}
References

Affected packages

Git / github.com/apache/activemq

Affected ranges

Type
GIT
Repo
https://github.com/apache/activemq
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.19.7"
        },
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.2.6"
        }
    ]
}

Affected versions

activemq-5.*
activemq-5.10.0
activemq-5.11.0
activemq-5.12.0
activemq-5.13.0
activemq-5.14.0
activemq-5.15.0
activemq-5.16.0
activemq-5.18.0
activemq-5.18.1
activemq-5.18.2
activemq-5.18.3
activemq-5.18.4
activemq-5.18.5
activemq-5.18.6
activemq-5.19.0
activemq-5.19.1
activemq-5.19.2
activemq-5.9.0
activemq-6.*
activemq-6.0.0
activemq-6.1.0
activemq-6.1.1
activemq-6.1.2
activemq-6.2.0
activemq-6.2.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-49157.json"