Incomplete Authorization in Apache ActiveMQ Server Affects Multiple Versions
CVE-2026-46605

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-46605?

A significant vulnerability exists in Apache ActiveMQ servers prior to versions 6.2.6 and 5.19.7, where incomplete authorization permits authenticated users to remove existing destinations, provided they have the appropriate permissions. This flaw can lead to unauthorized modifications and disruptions in messaging services. Users are strongly advised to upgrade to the latest versions to mitigate this risk and ensure the integrity of their systems.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 0 < 5.19.7

References

https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfy...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 15, 2026

Credit

Leon Johnson (github: lokerxx)

CVE-2026-46605 Data

JSON