CVE-2026-49270
Analyzed Analyzed - Analysis Complete
Exposure of Sensitive Information via Metadata in Apache ActiveMQ

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: Apache Software Foundation

Description
Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker,Β including client identifiers, subscription names, topic destinations, andΒ JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-49270
EUVD
EUVD-2026-33573
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.6 (exc)
apache activemq_broker to 5.19.7 (exc)
apache activemq_broker From 6.0.0 (inc) to 6.2.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1230 The product prevents direct access to a resource containing sensitive information, but it does not sufficiently limit access to metadata that is derived from the original, sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated attacker to access sensitive information related to durable topic subscriptions, including client identifiers and subscription details, without proper authentication.

Exposure of such sensitive information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive data from unauthorized access.

However, the provided information does not explicitly state the impact on compliance with these standards.

Executive Summary

CVE-2026-49270 is a vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, and Apache ActiveMQ All that allows an unauthenticated attacker to obtain sensitive information about durable topic subscriptions.

This happens when brokers are configured with a network connector where the syncDurableSubs setting is true. An attacker can send a specially crafted BrokerInfo command and receive details such as client identifiers, subscription names, topic destinations, and JMS selector expressions without needing to authenticate.

The vulnerability affects versions before 5.19.7 and from 6.0.0 before 6.2.6. It has been fixed in versions 5.19.7 and 6.2.6.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information related to durable topic subscriptions in Apache ActiveMQ.

An attacker can learn client identifiers, subscription names, topic destinations, and JMS selector expressions without authentication, which could be used to map out messaging infrastructure or facilitate further attacks.

Detection Guidance

This vulnerability can be detected by checking if your Apache ActiveMQ Broker is configured with a network connector where the parameter syncDurableSubs is set to true.

An unauthenticated attacker can send a crafted BrokerInfo command to the broker and receive sensitive information about durable topic subscriptions without authentication.

To detect this on your system, you can attempt to send a BrokerInfo command to the broker without authentication and observe if the broker responds with subscription details.

While specific commands are not provided in the available resources, a network scan or script that sends BrokerInfo commands to the broker and checks for unauthorized responses could be used.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Apache ActiveMQ Broker, Apache ActiveMQ, or Apache ActiveMQ All to versions 5.19.7 or 6.2.6 or later, where this vulnerability has been fixed.

Until the upgrade can be performed, review your broker configuration and consider disabling or modifying the network connector setting syncDurableSubs if possible to prevent exposure.

Additionally, restrict network access to the broker to trusted users and systems to reduce the risk of unauthenticated access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49270. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart