Incorrect Default Permissions in Apache ActiveMQ Affects Security Management
CVE-2026-49157

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache ActiveMQ
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49157?

The vulnerability in Apache ActiveMQ arises from incorrect default permissions within its Jolokia authorization settings. This flaw enables low-privilege web-login accounts to perform administrative actions, such as adding or removing queues that should be restricted to higher privilege users. Affected users are strongly encouraged to upgrade to the latest versions (5.19.7 or 6.2.6) to mitigate this risk and enhance their security posture.

Affected Version(s)

Apache ActiveMQ 0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

References

https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q...

vendor-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 27, 2026

Credit

Leon Johnson (github: lokerxx)

CVE-2026-49157 Data

JSON