CVE-2026-54475

CVE-2026-54475: Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover

Vendor Apache Software Foundation
Product Apache ActiveMQ Broker
Weakness CWE-862 · Missing authorization
Published June 30, 2026
Last update June 30, 2026

CVSS base score

What the vulnerability does

01Description

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Key dates

02Disclosure timeline

June 30, 2026 CVE published
June 30, 2026 Record updated