CVE-2026-49877

UNKNOWN 0.0

Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

CWE	CWE-285
Vendor	apache software foundation
Product	apache activemq
Published	Jun 30, 2026
Last Updated	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for apache software foundation apache activemq

Be the first to know when new unknown vulnerabilities affecting apache software foundation apache activemq are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Apache Software Foundation / Apache ActiveMQ

0 < 5.19.8 6.0.0 < 6.2.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

lists.apache.org: https://lists.apache.org/thread/w82vtc3q02j5ot94tnyy1197y3wb98hl openwall.com: http://www.openwall.com/lists/oss-security/2026/06/29/9

Credits

Leon Johnson (github: lokerxx)