Information Exposure Flaw in Apache ActiveMQ Products
CVE-2026-49270

Currently unrated

Key Information:

Vendor: Apache
Status: Apache ActiveMQ Broker; Apache ActiveMQ; Apache ActiveMQ All
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49270?

A vulnerability exists in Apache ActiveMQ products where brokers configured with a network connector having syncDurableSubs set to true can be exploited by unauthenticated attackers. By sending a BrokerInfo command, attackers may gain unauthorized access to sensitive data such as durable topic subscriptions, client identifiers, subscription names, topic destinations, and JMS selector expressions. This issue arises because the broker fails to authenticate the connection before responding. Users are urged to upgrade their systems to version 6.2.6 or 5.19.7 to mitigate this exposure.

Affected Version(s)

Apache ActiveMQ 5.14.0 < 5.19.7

Apache ActiveMQ 6.0.0 < 6.2.6

Apache ActiveMQ All 5.14.0 < 5.19.7

References

https://lists.apache.org/thread/k3233c1x506z3w7x4z0dqvd86...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 28, 2026

Credit

Basel Khaled

CVE-2026-49270 Data

JSON