Authorization Flaw in Apache ActiveMQ Artemis Affects Multiple Versions
CVE-2026-32642

2.3LOW

Key Information:

Vendor: Apache
Status: Apache Artemis; Apache ActiveMQ Artemis
Vendor: CVE Published:; 24 March 2026

What is CVE-2026-32642?

An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis when an authenticated user with the 'createDurableQueue' permission attempts to create a non-durable JMS topic subscription on a non-existent address. If address auto-creation is disabled, the subscription creation should fail, but owing to this flaw, a temporary address may still be created. This vulnerability affects specific versions of the products, prompting users to upgrade to version 2.53.0 to remediate the issue.

Affected Version(s)

Apache ActiveMQ Artemis 2.0.0 <= 2.44.0

Apache Artemis 2.50.0 <= 2.52.0

References

https://lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl4...

vendor-advisory

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2026
Vulnerability Reserved
Mar 12, 2026

Credit

Stephen Higgs <shiggs@redhat.com>

CVE-2026-32642 Data

JSON