Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
Description
Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.
This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.
Users are recommended to upgrade to version 2.53.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Apache Artemis and ActiveMQ Artemis, a user with createDurableQueue but not createAddress permission can bypass authorization to create a temporary address via OpenWire, which is removed on connection close.
Vulnerability
Overview
CVE-2026-32642 is an Incorrect Authorization (CWE-863) vulnerability in Apache Artemis and Apache ActiveMQ Artemis. The issue occurs when an authenticated application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that does not exist. If the user has the "createDurableQueue" permission but lacks the "createAddress" permission, and address auto-creation is disabled, a temporary address is incorrectly created instead of the operation failing due to insufficient authorization [1][2].
Exploitation
Scenario
An attacker with valid credentials and the "createDurableQueue" permission can exploit this flaw by sending a crafted OpenWire request to create a non-durable subscription on a non-existent address. The broker will create a temporary address, bypassing the intended authorization check for address creation. The temporary address is automatically removed when the OpenWire connection is closed [1][2].
Impact
This vulnerability allows an authenticated user to create temporary addresses without the required "createAddress" permission, violating the security policy. While the impact is limited to temporary addresses that are cleaned up upon connection closure, it represents a breach of the authorization model and could be leveraged in more complex attack chains [1][2].
Mitigation
The issue affects Apache Artemis versions 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis versions 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.53.0, which contains the fix [1][2]. No workarounds have been published.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.artemis:artemis-openwire-protocolMaven | >= 2.50.0, < 2.53.0 | 2.53.0 |
org.apache.activemq:artemis-openwire-protocolMaven | >= 2.0.0, < 2.53.0 | 2.53.0 |
Affected products
4- Apache Software Foundation/Apache ActiveMQ Artemisv5Range: 2.0.0
- Apache Software Foundation/Apache Artemisv5Range: 2.50.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f4gc-mwrg-q36rghsaADVISORY
- lists.apache.org/thread/4wlrp31ngq2yb54sf4kjb3bl41t4xgtpghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-32642ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/03/20/2ghsaWEB
News mentions
1- Siemens Opcenter RDnLCISA ICS Advisories