Missing Authentication in Apache Artemis and ActiveMQ Messaging Services
CVE-2026-27446

9.3CRITICAL

Key Information:

Vendor: Apache
Status: Apache Artemis; Apache ActiveMQ Artemis
Vendor: CVE Published:; 4 March 2026

What is CVE-2026-27446?

A vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows unauthenticated remote attackers to exploit the Core protocol, compelling a broker to establish outbound federations to attacker-controlled brokers. This scenario raises significant risks for message integrity, enabling potential message injection or exfiltration. The issue chiefly affects environments permitting incoming connections from untrusted sources and outgoing connections to untrusted targets. To mitigate this, it is crucial to either disable Core protocol support for untrusted acceptors or implement two-way SSL for secure, certificate-based authentication across client connections. Users are advised to upgrade to version 2.52.0 for enhanced security.

Affected Version(s)

Apache ActiveMQ Artemis 2.11.0 <= 2.44.0

Apache Artemis 2.50.0 <= 2.51.0

References

https://lists.apache.org/thread/jwpsdc8tdxotm98od8n8n30fq...

vendor-advisory

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Hardik Mehta <mehtahardik@proton.me>

CVE-2026-27446 Data

JSON