CVE-2025-46548

CVE-2025-46548: Apache Pekko Management, Apache Pekko Management, Apache Pekko Management, Akka Management, Akka Management, Akka Management: management API basic authentication is not effective

Vendor Apache Software Foundation

Product Apache Pekko Management

Weakness CWE-287 · Improper authentication

Published June 3, 2025

Last update June 11, 2025

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

If you enable Basic Authentication in Pekko Management using the Java DSL, the authenticator may not be properly applied. Users that rely on authentication instead of making sure the Management API ports are only available to trusted users are recommended to upgrade to version 1.1.1, which fixes this issue. Akka was affected by the same issue and has released the fix in version 1.6.1.

Key dates

Disclosure timeline

June 3, 2025 CVE published

June 11, 2025 Record updated

Identifiers

CVE CVE-2025-46548

CWE CWE-287

Affected versions

Vendor Apache Software Foundation

Product Apache Pekko Management

Affected ≥ 1.0.0 and < 1.1.1

Vendor Apache Software Foundation

Product Apache Pekko Management

Affected ≥ 1.0.0 and < 1.1.1

Vendor Apache Software Foundation

Product Apache Pekko Management

Affected ≥ 1.0.0 and < 1.1.1

Vendor Lightbend

Product Akka Management

Affected < 1.6.1

Vendor Lightbend

Product Akka Management

Affected < 1.6.1

Vendor Lightbend

Product Akka Management

Affected < 1.6.1