Incomplete Authorization in Apache ActiveMQ Server Affects Multiple Versions
CVE-2026-46605

4.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ All; Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-46605?

A significant vulnerability exists in Apache ActiveMQ servers prior to versions 6.2.6 and 5.19.7, where incomplete authorization permits authenticated users to remove existing destinations, provided they have the appropriate permissions. This flaw can lead to unauthorized modifications and disruptions in messaging services. Users are strongly advised to upgrade to the latest versions to mitigate this risk and ensure the integrity of their systems.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 0 < 5.19.7

References

https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfy...

vendor-advisory

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 15, 2026

Credit

Leon Johnson (github: lokerxx)

CVE-2026-46605 Data

JSON