CVE-2026-27446
Missing Authentication in Apache Artemis Core Protocol Enables Message Injection
Publication date: 2026-03-04
Last updated on: 2026-03-17
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq_artemis | From 2.11.0 (inc) to 2.44.0 (inc) |
| apache | artemis | 2.50.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Missing Authentication for Critical Function (CWE-306) in Apache Artemis and Apache ActiveMQ Artemis. It allows an unauthenticated remote attacker to use the Core protocol to force a target broker to establish an outbound Core federation connection to a rogue broker controlled by the attacker.
As a result, the attacker could inject messages into any queue or exfiltrate messages from any queue via the rogue broker. This issue occurs in environments that allow both incoming Core protocol connections from untrusted sources and outgoing Core protocol connections from the broker to untrusted targets.
Affected versions include Apache Artemis from 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized message injection into queues and unauthorized message exfiltration from queues.
An attacker can remotely exploit this without authentication, potentially compromising the integrity and confidentiality of the messaging system.
This could lead to data breaches, manipulation of message flows, and disruption of normal operations in systems relying on Apache Artemis or Apache ActiveMQ Artemis brokers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated remote attackers using the Core protocol to force a broker to establish outbound connections to rogue brokers. Detection would involve monitoring for unexpected outbound Core protocol connections from your broker to untrusted targets, as well as incoming Core protocol connections from untrusted sources.
Specifically, you should check if your broker is accepting Core protocol connections on the default port 61616 or other configured acceptors without proper authentication.
While no explicit commands are provided in the context, typical detection steps could include:
- Using network monitoring tools (e.g., tcpdump, Wireshark) to capture and analyze traffic on port 61616 for unexpected Core protocol connections.
- Checking broker logs for any outbound Core federation connections to unknown or suspicious IP addresses.
- Reviewing the broker's acceptor configuration to identify if Core protocol is enabled for acceptors exposed to untrusted networks.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Remove Core protocol support from any acceptor that receives connections from untrusted sources. This can be done by configuring the acceptor URL to exclude the Core protocol in the 'protocols' parameter.
- Use two-way SSL (certificate-based authentication) to require clients to present valid SSL certificates before any message protocol handshake, preventing unauthenticated exploitation.
- Upgrade Apache Artemis or Apache ActiveMQ Artemis to version 2.52.0 or later, where this vulnerability is fixed.