CVE-2026-49157
Analyzed Analyzed - Analysis Complete
Incorrect Default Permissions in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-49157
EUVD
EUVD-2026-33574
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows non-admin, low-privilege users to perform administrative broker management operations via Jolokia, which could lead to unauthorized access or modification of system configurations.

Such unauthorized access may increase the risk of data breaches or system misuse, potentially impacting compliance with standards and regulations like GDPR and HIPAA that require strict access controls and protection of sensitive data.

Therefore, until the affected Apache ActiveMQ versions are upgraded to fixed releases (5.19.7 or 6.2.6), organizations may face challenges in maintaining compliance with these regulations due to insufficient access restrictions.

Executive Summary

CVE-2026-49157 is an Incorrect Default Permissions vulnerability in Apache ActiveMQ versions before 5.19.7 and 6.0.0 before 6.2.6.

The default Jolokia authorization settings mistakenly grant non-admin (low-privilege) web-login accounts access to Jolokia operations.

This improper permission allows these low-privilege users to execute broker management operations that should be restricted to administrators, such as adding or removing queues.

Impact Analysis

This vulnerability can allow unauthorized low-privilege users to perform administrative broker management operations on Apache ActiveMQ.

  • They can add or remove message queues, potentially disrupting messaging services.
  • Such unauthorized actions could lead to service interruptions, data loss, or manipulation of message flows.

Overall, it compromises the integrity and availability of the messaging system.

Mitigation Strategies

To mitigate the CVE-2026-49157 vulnerability in Apache ActiveMQ, users are recommended to upgrade to version 5.19.7 or 6.2.6, which contain fixes for the incorrect default permissions issue.

This vulnerability allows low-privilege web-login accounts to access Jolokia operations that should be restricted to administrators, such as addQueue and removeQueue. Upgrading ensures these permissions are correctly set.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart