CVE-2026-49877

CVE-2026-49877: Apache ActiveMQ: Authenticated web users retain admin access by default in the Web Console

Vendor Apache Software Foundation
Product Apache ActiveMQ
Weakness CWE-285
Published June 30, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated