CVE-2026-49270

Vulnerability

Apache ActiveMQ Broker, ActiveMQ, and ActiveMQ All versions from 5.14.0 before 5.19.7 and from 6.0.0 before 6.2.6 are vulnerable to an information disclosure flaw. When a network connector is configured with syncDurableSubs set to true, the broker incorrectly responds to a BrokerInfo command without requiring authentication, exposing durable topic subscription metadata [1].

Exploitation

An unauthenticated attacker can send a crafted BrokerInfo command over the OpenWire protocol to a vulnerable broker. The broker replies with a list of all durable topic subscriptions, including client identifiers, subscription names, topic destinations, and JMS selector expressions. No prior authentication or special network position is required beyond reachability of the broker's OpenWire port [1].

Impact

Successful exploitation allows an attacker to obtain sensitive metadata about the messaging topology, such as which clients are subscribed to which topics and their selectors. This information can be used to plan further attacks, but does not expose message content itself. The disclosure is limited to subscription metadata [1].

Mitigation

Upgrade to Apache ActiveMQ version 5.19.7 or 6.2.6, which fix the issue by enforcing authentication before responding to BrokerInfo commands [1]. If an immediate upgrade is not possible, disable syncDurableSubs on network connectors or restrict network access to the broker's OpenWire port as a temporary workaround.