CVE-2026-40914
Description
A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.
This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.
Users are recommended to upgrade to version 2.54.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Artemis STOMP users with send/consume permission can alter address routing-type without createAddress permission, bypassing access controls.
Vulnerability
A vulnerability in Apache Artemis and Apache ActiveMQ Artemis allows a user with STOMP protocol credentials that grant either the consume or send permission on an address to augment the routing-type supported by that address, even without the createAddress permission [1]. This affects Apache Artemis versions 2.50.0 through 2.53.0 and Apache ActiveMQ Artemis versions 2.0.0 through 2.44.0 [1].
Exploitation
An attacker needs network access to the STOMP endpoint and valid credentials that grant send or consume permission on a target address. By sending a message to an address or consuming a message from a queue with a routing-type not originally supported by that address, the attacker can effectively change the address's routing-type [1]. No additional permissions are required.
Impact
Successful exploitation allows the attacker to alter the routing-type of an address, enabling messages with unsupported routing types to be sent or consumed. This bypasses the intended access control that requires the createAddress permission to modify address routing-type, potentially leading to message misrouting or violation of security policies [1].
Mitigation
The issue is fixed in Apache Artemis version 2.54.0 [1]. Users are recommended to upgrade to this version. No workarounds are provided in the available references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 2.0.0 - 2.44.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.