CVE-2026-32642 LOW

CVE-2026-32642: Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission

Vendor Apache Software Foundation

Product Apache Artemis

Weakness CWE-863 · Incorrect authorization

Published March 24, 2026

Last update March 24, 2026

View on NVD All CVEs

CVSS base score

2.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed. This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.53.0, which fixes the issue.

Key dates

Disclosure timeline

March 24, 2026 CVE published

March 24, 2026 Record updated

Identifiers

CVE CVE-2026-32642

CWE CWE-863

CVSS 2.3 / LOW

Affected versions

Vendor Apache Software Foundation

Product Apache Artemis

Affected ≥ 2.50.0 and ≤ 2.52.0

Vendor Apache Software Foundation

Product Apache ActiveMQ Artemis

Affected ≥ 2.0.0 and ≤ 2.44.0