Apache Archiva: incorrect authentication potentially leading to account takeover
Description
UNSUPPORTED WHEN ASSIGNED
Incorrect Authorization vulnerability in Apache Archiva: a vulnerability in Apache Archiva allows an unauthenticated attacker to modify account data, potentially leading to account takeover.
This issue affects Apache Archiva: from 2.0.0.
As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Archiva 2.0.0+ has an incorrect authorization vulnerability allowing unauthenticated attackers to modify account data, leading to account takeover.
Vulnerability
Overview
CVE-2024-27139 is an incorrect authorization vulnerability in Apache Archiva, a retired repository manager. Apache Archiva versions 2.0.0 and later are affected. The flaw enables an unauthenticated attacker to modify account data, which can result in full account takeover [1][2].
Root
Cause and Attack Vector
The vulnerability stems from a lack of proper authorization checks on account modification endpoints. An attacker can send crafted requests without authentication to alter sensitive account information, such as passwords or permissions. No user interaction or prior access is required, making the attack vector straightforward for anyone able to reach the Archiva instance [1][2].
Impact and
Severity
Successful exploitation grants an attacker complete control over targeted accounts, including administrative accounts if the attacker targets them. This can lead to unauthorized access to stored artifacts, configuration changes, and potential lateral movement within the network. The severity is rated as important by the Apache security team [2].
Mitigation and
Status
Apache Archiva is a retired project; no official patch will be released. Users are strongly advised to either migrate to an alternative solution or restrict network access to the instance to trusted users only. The vulnerability is classified as "UNSUPPORTED WHEN ASSIGNED" because the product is no longer maintained [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.archiva:archivaMaven | >= 2.0.0, <= 2.2.10 | — |
Affected products
2- Apache Software Foundation/Apache Archivav5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-h595-vwhc-3xwxghsaADVISORY
- lists.apache.org/thread/qr8b7r86p1hkn0dc0q827s981kf1bgd8ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27139ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/03/01/3ghsaWEB
News mentions
0No linked articles in our index yet.