CVE-2026-46605
Description
Apache ActiveMQ before 5.19.7 and 6.2.6 has incomplete authorization, allowing authenticated users to delete destinations without proper permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache ActiveMQ before 5.19.7 and 6.2.6 has incomplete authorization, allowing authenticated users to delete destinations without proper permissions.
Vulnerability
Incomplete authorization in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ packages before versions 5.19.7 and 6.2.6 allows authenticated connections to remove existing destinations even when they lack the required permissions. The flaw affects the destination removal functionality.
Exploitation
An attacker with an authenticated connection to the ActiveMQ broker can exploit this by sending a request to remove a destination. No additional privileges are required beyond authentication.
Impact
Successful exploitation leads to unauthorized deletion of destinations, disrupting message delivery and potentially causing denial of service.
Mitigation
Upgrade to Apache ActiveMQ 5.19.7 or 6.2.6 as soon as possible. No workarounds are mentioned in the advisory [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.