By weakness (CWE)

CWE-276: related vulnerabilities

CVEs classified under CWE-276. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

3 published vulnerabilities

  • CVE-2026-49157HIGH 8.8

    Apache ActiveMQ contains a permissions misconfiguration in its Jolokia interface that allows low-privilege web users to perform high-level broker management operations. Specifically, non-admin accounts can execute commands like addQueue and removeQueue that should be restricted to administrators only. This violates the principle of least privilege and can lead to unauthorized service disruption or configuration tampering. Affected versions are ActiveMQ 5.x before 5.19.7 and 6.x before 6.2.6.

  • CVE-2026-48190LOW 3.5

    OTRS has a permission-handling flaw in its External Interface and ConfigItem List module that allows authenticated customers to access Configuration Item (CI) information they shouldn't be able to see. The vulnerability only manifests when both CMDB is enabled and CustomerGroupSupport is configured, meaning organizations using default or simpler OTRS setups may not be affected. An attacker would need valid customer credentials and user interaction to exploit this issue.

  • CVE-2026-48191LOW 3.5

    A permissions bug in OTRS and STORM-powered OTRS allows authenticated users to discover metadata about configuration items (CIs), SLA levels, and services—such as how many are affected—without having actual access to view or modify them. An attacker needs valid login credentials and must interact with the Document Search Article Meta Filters modules to extract this information. While the exposure is limited to metadata disclosure rather than data access, it can provide reconnaissance value to an insider threat or compromised account holder.