CVE-2026-49877

Severity CVSS v4.0:
Pending analysis
Type:
CWE-285 Improper Authorization
Publication date:
30/06/2026
Last modified:
02/07/2026

Description

Improper Authorization vulnerability in Apache ActiveMQ.<br /> <br /> An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins.<br /> This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.<br /> <br /> Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* 5.19.8 (excluding)
cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:* 6.0.0 (including) 6.2.7 (excluding)