CVE-2026-49270
Exposure of Sensitive Information via Metadata in Apache ActiveMQ
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | activemq_broker | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq_all | From 6.0.0 (inc) to 6.2.6 (exc) |
| apache | activemq_broker | to 6.2.6 (exc) |
| apache | activemq | to 6.2.6 (exc) |
| apache | activemq_all | to 6.2.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1230 | The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to access sensitive information related to durable topic subscriptions, including client identifiers and subscription details, without proper authentication.
Exposure of such sensitive information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access.
However, the provided information does not explicitly state the impact on compliance with these standards.
Can you explain this vulnerability to me?
CVE-2026-49270 is a vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, and Apache ActiveMQ All that allows an unauthenticated attacker to obtain sensitive information about durable topic subscriptions.
This happens when brokers are configured with a network connector where the syncDurableSubs setting is true. An attacker can send a specially crafted BrokerInfo command and receive details such as client identifiers, subscription names, topic destinations, and JMS selector expressions without needing to authenticate.
The vulnerability affects versions before 5.19.7 and from 6.0.0 before 6.2.6. It has been fixed in versions 5.19.7 and 6.2.6.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information related to durable topic subscriptions in Apache ActiveMQ.
An attacker can learn client identifiers, subscription names, topic destinations, and JMS selector expressions without authentication, which could be used to map out messaging infrastructure or facilitate further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Apache ActiveMQ Broker is configured with a network connector where the parameter syncDurableSubs is set to true.
An unauthenticated attacker can send a crafted BrokerInfo command to the broker and receive sensitive information about durable topic subscriptions without authentication.
To detect this on your system, you can attempt to send a BrokerInfo command to the broker without authentication and observe if the broker responds with subscription details.
While specific commands are not provided in the available resources, a network scan or script that sends BrokerInfo commands to the broker and checks for unauthorized responses could be used.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Apache ActiveMQ Broker, Apache ActiveMQ, or Apache ActiveMQ All to versions 5.19.7 or 6.2.6 or later, where this vulnerability has been fixed.
Until the upgrade can be performed, review your broker configuration and consider disabling or modifying the network connector setting syncDurableSubs if possible to prevent exposure.
Additionally, restrict network access to the broker to trusted users and systems to reduce the risk of unauthenticated access.