Improper Access Control in Apache Artemis Messaging System
CVE-2026-40914

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Artemis Stomp Protocol; Apache ActiveMQ Artemis Stomp Protocol
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-40914?

A security issue exists in Apache Artemis that allows users with credentials for sending or consuming messages to alter the routing-type of an address. This vulnerability can be exploited by a user without the necessary 'createAddress' permission to send messages or consume them using unsupported routing-types. Normally, such operations should be restricted based on access permissions, but users can bypass these restrictions, raising potential security risks. To mitigate this issue, users should upgrade to version 2.54.0 of Apache Artemis.

Affected Version(s)

Apache ActiveMQ Artemis Stomp Protocol 2.0.0 <= 2.44.0

Apache Artemis Stomp Protocol 2.50.0 <= 2.53.0

References

https://lists.apache.org/thread/6q3st8dlorz2q05svqn11k1xl...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 15, 2026

Credit

bugbunny.ai

Isaac David <isaac@bugbunny.ai>

Arthur Gervais <arthur@bugbunny.ai>

CVE-2026-40914 Data

JSON