CVE-2026-49157
Received Received - Intake
Incorrect Default Permissions in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-01
AI Q&A
2026-06-01
EPSS Evaluated
N/A
NVD
CVE-2026-49157
EUVD
EUVD-2026-33574
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq 6.2.6
apache activemq 5.19.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-49157 is an Incorrect Default Permissions vulnerability in Apache ActiveMQ versions before 5.19.7 and 6.0.0 before 6.2.6.

The default Jolokia authorization settings mistakenly grant non-admin (low-privilege) web-login accounts access to Jolokia operations.

This improper permission allows these low-privilege users to execute broker management operations that should be restricted to administrators, such as adding or removing queues.


How can this vulnerability impact me? :

This vulnerability can allow unauthorized low-privilege users to perform administrative broker management operations on Apache ActiveMQ.

  • They can add or remove message queues, potentially disrupting messaging services.
  • Such unauthorized actions could lead to service interruptions, data loss, or manipulation of message flows.

Overall, it compromises the integrity and availability of the messaging system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the CVE-2026-49157 vulnerability in Apache ActiveMQ, users are recommended to upgrade to version 5.19.7 or 6.2.6, which contain fixes for the incorrect default permissions issue.

This vulnerability allows low-privilege web-login accounts to access Jolokia operations that should be restricted to administrators, such as addQueue and removeQueue. Upgrading ensures these permissions are correctly set.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart