CVE-2026-54475
Received Received - Intake

Authorization Bypass in Apache ActiveMQ via Temporary Destination

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: Apache Software Foundation

Description
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing aΒ different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-54475
EUVD
EUVD-2026-40276

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
apache activemq_broker From 6.0.0 (inc) to 6.2.7 (exc)
apache activemq_all From 6.0.0 (inc) to 6.2.7 (exc)
apache activemq From 6.0.0 (inc) to 6.2.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Missing Authorization issue in Apache ActiveMQ Broker and related products. Temporary destinations in Apache ActiveMQ Classic are supposed to be isolated to the connection that created them. However, this isolation is only enforced on the client side, which means a different connection can consume messages from another connection's temporary destination, breaking the intended isolation.

Impact Analysis

The impact of this vulnerability is that unauthorized connections can access temporary destinations created by other connections. This can lead to unauthorized consumption of messages, potentially exposing sensitive data or disrupting message flows within the messaging system.

Mitigation Strategies

Users are recommended to upgrade Apache ActiveMQ Broker, Apache ActiveMQ All, or Apache ActiveMQ to version 6.2.7, which fixes the missing authorization vulnerability.

Compliance Impact

The vulnerability allows unauthorized access to temporary destinations in Apache ActiveMQ, potentially leading to unauthorized data access between different connections.

Such unauthorized access could result in exposure or leakage of sensitive information, which may impact compliance with data protection regulations like GDPR and HIPAA that require strict access controls and data confidentiality.

Organizations using affected versions of Apache ActiveMQ should upgrade to version 6.2.7 or later to mitigate this risk and help maintain compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54475. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart