CVE-2026-54475

Summary

Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7, which fixes the issue.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache ActiveMQ Broker0 < 5.19.8affected
Apache Software FoundationApache ActiveMQ Broker6.0.0 < 6.2.7affected
Apache Software FoundationApache ActiveMQ All0 < 5.19.8affected
Apache Software FoundationApache ActiveMQ All6.0.0 < 6.2.7affected
Apache Software FoundationApache ActiveMQ0 < 5.19.8affected
Apache Software FoundationApache ActiveMQ6.0.0 < 6.2.7affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References