CVE-2026-49157

HIGH 8.8

Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

3th

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

CWE	CWE-276
Vendor	apache software foundation
Product	apache activemq
Published	Jun 1, 2026
Last Updated	Jun 1, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache activemq

Be the first to know when new high vulnerabilities affecting apache software foundation apache activemq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache ActiveMQ

0 < 5.19.7 6.0.0 < 6.2.6

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8 openwall.com: http://www.openwall.com/lists/oss-security/2026/05/31/21

Credits

Leon Johnson (github: lokerxx)