CVE-2026-46605
Authorization Bypass in Apache ActiveMQ Broker
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq_broker | to 6.2.6 (exc) |
| apache | activemq_all | to 6.2.6 (exc) |
| apache | activemq | to 6.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46605 is a vulnerability in Apache ActiveMQ server versions before v6.2.6 and v5.19.7. It involves incomplete authorization where authenticated users with valid credentials can remove existing destinations even if they do not have proper permissions to do so.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache ActiveMQ to version v6.2.6 or v5.19.7, which contain the fix for the incomplete authorization issue.
How can this vulnerability impact me? :
This vulnerability allows authenticated users to delete destinations they should not have access to, potentially disrupting messaging services and causing loss of important message routing configurations.