CVE-2026-49877
Received Received - Intake

Improper Authorization in Apache ActiveMQ Web Console

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-49877
EUVD
EUVD-2026-40283

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apache activemq to 5.19.8 (exc)
apache activemq to 6.2.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an Improper Authorization issue in Apache ActiveMQ's Web Console. Specifically, an authenticated user with low privileges can access administrative paths (/admin/*) in the Web Console because the default Jetty server settings do not restrict these paths to admin users only.

This means that users who should not have administrative access can potentially reach admin functions due to incorrect access controls.

Impact Analysis

The impact of this vulnerability is that low-privilege authenticated users can gain unauthorized access to administrative areas of the Apache ActiveMQ Web Console. This could allow them to perform actions or view information that should be restricted to administrators only.

Such unauthorized access can lead to potential misuse or compromise of the messaging system managed by ActiveMQ.

Detection Guidance

This vulnerability involves an authenticated low-privilege Web Console user being able to access /admin/* paths in the Apache ActiveMQ Web Console due to improper authorization.

To detect this vulnerability, you can attempt to log in to the ActiveMQ Web Console with a low-privilege user account and check if you can access URLs under /admin/*.

Specific commands or automated detection scripts are not provided in the available information.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Apache ActiveMQ to version 6.2.7 or 5.19.8, where this improper authorization issue has been fixed.

Compliance Impact

The vulnerability allows authenticated low-privilege users to access administrative paths in the Apache ActiveMQ Web Console due to improper authorization. This unauthorized access to administrative functions could potentially lead to exposure or manipulation of sensitive data or system configurations.

Such unauthorized access may impact compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information. Failure to restrict administrative access properly could result in violations of these compliance requirements.

Upgrading to fixed versions 5.19.8 or 6.2.7 is recommended to mitigate this issue and help maintain compliance by enforcing proper authorization controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart