MEDIUM 4.3

CVE-2026-40914

Apache Artemis has a flaw in how it enforces permissions when users communicate via the STOMP protocol. A user with permission to send or receive messages on a particular address can trick the system into accepting messages with a message routing-type that the address doesn't normally support. This bypasses an important security boundary: only administrators with explicit createAddress permission should be able to change an address's routing-type capabilities. An attacker could exploit this to send or consume messages in ways that violate the intended security policy, even though their basic send/consume permissions are legitimate.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission. This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.54.0, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-40914 is an authorization bypass in Apache Artemis affecting STOMP protocol connections. The vulnerability stems from insufficient permission validation when routing-type operations occur. When a client holding consume or send permissions on an address attempts to perform a message operation with a non-supported routing-type, the system fails to properly check whether the user has createAddress permission before implicitly accepting the new routing-type. This allows privilege escalation from message-level permissions to address-configuration-level capabilities. The flaw is classified as CWE-863 (Improper Authorization), indicating a fundamental gap in access control logic during message routing decisions.

Business impact

Organizations running affected Artemis versions may face integrity and compliance violations. An authenticated user could violate message routing policies without detection, potentially circumventing audit trails or message handling rules tied to routing-type restrictions. In environments where routing-types enforce compliance boundaries or segregate message classes, this becomes a material control weakness. The impact is limited to authenticated users with existing send/consume permissions, reducing but not eliminating risk. Patching is recommended to maintain strict separation between messaging permissions and infrastructure modification authority.

Affected systems

Apache Artemis versions 2.50.0 through 2.53.0 and Apache ActiveMQ Artemis versions 2.0.0 through 2.44.0 are affected. Organizations should verify their installed versions immediately. Note the two version lines: the more recent 2.50.0+ line and the legacy 2.0.0–2.44.0 line both contain the vulnerability, indicating this is not a newly introduced flaw. Systems using earlier versions prior to 2.0.0 are not affected. Any deployment using STOMP protocol connections with authentication enabled should be prioritized for assessment.

Exploitability

Exploitability is moderate. The vulnerability requires valid STOMP protocol credentials granting at least send or consume permissions on the target address. No network-level attack or privilege escalation from an unauthenticated state is possible. The attack surface is limited to authenticated users and internal or trusted external connections with valid credentials. However, once an attacker has basic messaging credentials—which may be broadly distributed in many organizations—the exploit is straightforward: issue a message operation with an unsupported routing-type and observe whether it is accepted. The CVSS score of 4.3 (Medium) reflects this: low attack complexity and no user interaction required, but restricted to authenticated scenarios.

Remediation

Upgrade to Apache Artemis version 2.54.0 or later, which implements proper permission checks to ensure createAddress permission is required before any routing-type modification, even implicitly during message operations. Organizations should verify the patch version in vendor advisories before deployment. Until patching is complete, limit STOMP protocol access to the most restricted set of principals; audit which users and services hold send/consume permissions on mission-critical addresses and consider temporarily reducing their scope if feasible.

Patch guidance

Apache recommends upgrading to version 2.54.0. Review your current Artemis version via `artemis --version` or the management console. If you are on 2.50.0–2.53.0 or 2.0.0–2.44.0, plan an upgrade immediately. Test the patch in a non-production environment first to verify compatibility with your STOMP clients and configuration. Pay particular attention to any custom routing rules or permission assignments that may interact with the fix. Verify against the official Apache Artemis security advisory for detailed upgrade instructions and any compatibility notes.

Detection guidance

Monitor Artemis broker logs for STOMP operations that succeed with unexpected routing-type values. Enable debug-level logging on the OpenWire/STOMP transport if available. Look for message sends or receives on addresses where the routing-type was subsequently modified without an explicit createAddress call by an administrative user. Correlate successful operations with unusual routing-type values against your baseline address configurations. Check audit logs for any address property changes that coincide with non-administrative user activity. Organizations with centralized logging should ingest Artemis logs and create alerts on suspicious routing-type transitions tied to non-privileged user sessions.

Why prioritize this

While the CVSS score is moderate (4.3), this vulnerability should not be dismissed. It represents a fundamental authorization bypass that undermines role separation in messaging infrastructure. The requirement for valid credentials is the main limiting factor, but in many organizations, send/consume permissions are distributed broadly to services and applications. The flaw is not in the KEV catalog, suggesting active exploitation has not been widely reported, but this does not diminish the compliance and policy violation risk. Prioritize based on: (1) how broadly send/consume credentials are distributed in your environment, (2) whether your compliance regime treats routing-type changes as sensitive, and (3) whether you operate multi-tenant or high-security messaging architectures where strict permission boundaries are critical.

Risk score, explained

The CVSS 3.1 score of 4.3 (Medium) is assigned based on: Network accessibility (AV:N), low attack complexity (AC:L), requirement for valid login credentials (PR:L), no user interaction (UI:N), unchanged scope (S:U), and integrity impact only (I:L with no confidentiality or availability impact). The score correctly captures that this is an authenticated, low-complexity flaw with bounded impact. However, risk in your environment may be higher if credentials are widely held or if policy violations carry regulatory consequences.

Frequently asked questions

Do I need to patch immediately if I use Artemis only for internal messaging with trusted users?

Even in trusted environments, the flaw represents a control weakness that auditors and compliance frameworks may flag. If your users hold send/consume credentials, they can implicitly alter routing-type behavior. Patch within your standard maintenance window, but prioritization can be slightly lower if credential distribution is tightly controlled and routing-type boundaries are not critical to your security model.

Can this vulnerability be exploited without valid STOMP credentials?

No. The vulnerability requires an authenticated user with existing send or consume permissions on the target address. Unauthenticated attackers cannot exploit it. However, in many organizations, application service accounts hold these permissions broadly, so the practical attack surface may be larger than it initially appears.

Will the patch change my existing address configurations or require reconfiguration?

The patch is a security fix that enforces stricter permission checks; it should not alter your existing addresses or require manual reconfiguration. Test the patch in a staging environment to verify compatibility with your STOMP clients and application logic. Verify against the official Apache Artemis release notes for any compatibility considerations.

What is the difference between the two affected version lines (2.50.0+ vs. 2.0.0–2.44.0)?

Apache maintains two supported version streams. Both contain the flaw, indicating it is a long-standing authorization bug rather than a regression in recent code. Upgrade paths differ: users on the newer line upgrade to 2.54.0; users on the older line must also upgrade to 2.54.0 or verify vendor guidance for extended support options.

This analysis is provided for informational purposes and reflects the publicly available CVE data as of the publication date. CVSS scores and vulnerability details are sourced from official CVE records and vendor advisories. Patch versions and upgrade paths should be verified directly against Apache's official security advisory and release notes before deployment. Your organization's risk assessment may differ based on your specific deployment architecture, credential distribution model, and regulatory obligations. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Affected vendors

Weaknesses (CWE)

Related vulnerabilities