CVE-2026-49157

8.8 HIGH

Incorrect Default Permissions vulnerability in Apache ActiveMQ

Published: 2026-06-01 · Last updated: 2026-06-01

Severity and scoring

CVSS: 8.8 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276

Affected products

Vendor	Product
apache	activemq

Description

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-49157
[Vendor advisory]https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8
[Other]http://www.openwall.com/lists/oss-security/2026/05/31/21

Related CVEs

Same vendor

CVE-2026-34905 — Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-34031 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-33582 — Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer (6.5 MEDIUM)
CVE-2026-25699 — Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer (6.1 MEDIUM)
CVE-2026-25688 — Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer (6.1 MEDIUM)

Same CWE

CVE-2026-48191 — An incorrect handling of permissions in STORM powered by OTRS and in OTRS (2026.x and above) Document Search Article Meta Filters modules... (3.5 LOW)
CVE-2026-48190 — An incorrect handling of permissions in OTRS External Interface and the ConfigItem List module allows an authenticated customer to query ... (3.5 LOW)
CVE-2026-33590 — Insecure default settings of Portainer CE grant regular (non-admin) users privileges that allow host filesystem access and host-level cod...
CVE-2026-49237 — An issue was discovered in Canonical Multipass for macOS before version 1.16.3 due to an incomplete fix for CVE-2025-5199 (7.8 HIGH)
CVE-2026-44469 — The affected product extracts installation files to a temporary directory with incorrect default permissions during administrative instal... (7.8 HIGH)