CVE-2026-49157

Vulnerability

In Apache ActiveMQ, the default Jolokia authorization settings grant non-admin (low-privilege) web-login accounts access to Jolokia operations that are intended for administrators only, such as addQueue and removeQueue. This incorrect default permissions vulnerability affects versions before 5.19.7 and from 6.0.0 before 6.2.6. The flaw exists in the Jolokia endpoint configuration, which is enabled by default in the web console.

Exploitation

An attacker only needs a valid low-privilege web account (e.g., a user created via the web console with default roles) to exploit this vulnerability. No special network position beyond normal web access to the ActiveMQ web console is required. The attacker can log in, navigate to the Jolokia endpoint, and invoke broker management operations that should be restricted to administrators, such as creating or removing queues.

Impact

Successful exploitation allows an attacker to execute administrative operations on the message broker, including adding or removing queues. This can lead to denial of service (by deleting critical queues), disruption of message flow, or unauthorized reconfiguration of the broker. The attacker effectively escalates from a low-privileged user to having administrative control over the broker's management functions.

Mitigation

The vulnerability is fixed in Apache ActiveMQ versions 5.19.7 and 6.2.6. Users should upgrade to these versions or later. No workaround is documented in the available references. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].