CVE-2026-49157

CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

Vendor Apache Software Foundation

Product Apache ActiveMQ

Weakness CWE-276

Published June 1, 2026

Last update June 1, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Key dates

Disclosure timeline

June 1, 2026 CVE published

June 1, 2026 Record updated

Identifiers

CVE CVE-2026-49157

CWE CWE-276

Affected versions

Vendor Apache Software Foundation

Product Apache ActiveMQ

Affected < 5.19.7

Vendor Apache Software Foundation

Product Apache ActiveMQ

Affected ≥ 6.0.0 and < 6.2.6