CVE-2026-46605

CVE-2026-46605: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal

Vendor Apache Software Foundation

Product Apache ActiveMQ Broker

Weakness CWE-285

Published June 1, 2026

Last update June 1, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.

Key dates

Disclosure timeline

June 1, 2026 CVE published

June 1, 2026 Record updated

Identifiers

CVE CVE-2026-46605

CWE CWE-285

Affected versions

Vendor Apache Software Foundation

Product Apache ActiveMQ Broker

Affected < 5.19.7

Vendor Apache Software Foundation

Product Apache ActiveMQ Broker

Affected ≥ 6.0.0 and < 6.2.6

Vendor Apache Software Foundation

Product Apache ActiveMQ All

Affected < 5.19.7

Vendor Apache Software Foundation

Product Apache ActiveMQ All

Affected ≥ 6.0.0 and < 6.2.6

Vendor Apache Software Foundation

Product Apache ActiveMQ

Affected < 5.19.7

Vendor Apache Software Foundation

Product Apache ActiveMQ

Affected ≥ 6.0.0 and < 6.2.6