MEDIUM 4.3

CVE-2026-46605: Apache ActiveMQ Authorization Bypass Allows Authenticated Destination Deletion

Apache ActiveMQ has an authorization flaw that allows authenticated users to delete message queues and topics they shouldn't be able to modify. An attacker with valid credentials to your messaging system could disrupt operations by removing critical destinations, even if permission controls suggest they shouldn't have that ability. This affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-285
Affected products
2 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46605 is an incomplete authorization vulnerability in Apache ActiveMQ's broker implementation. The flaw allows authenticated connections to bypass destination-level access controls and remove existing queues and topics. The vulnerability stems from insufficient permission validation when processing destination deletion requests. It impacts the 5.x line (before 5.19.7) and the newer 6.x series (versions 6.0.0 through 6.2.5). The CVSS 3.1 score of 4.3 reflects that exploitation requires prior authentication and results in availability impact rather than confidentiality or integrity compromise.

Business impact

Disruption to message-driven applications is the primary risk. An authenticated attacker could delete critical destinations, causing application failures, breaking inter-service communication, and forcing operational recovery efforts. For organizations relying on ActiveMQ for event streaming, order processing, or real-time notifications, this could result in service downtime. The damage is bounded by the requirement for valid credentials and the availability-only impact (no data theft or modification), but recovery still incurs operational cost and potential revenue loss during outages.

Affected systems

Apache ActiveMQ Broker versions before 5.19.7 and from 6.0.0 before 6.2.6 are affected. This includes deployments using Apache ActiveMQ (the standalone broker) and Apache ActiveMQ All (the full package distribution). Organizations should inventory their ActiveMQ instances and identify which major version line they are running, then determine their current patch level within that line.

Exploitability

Exploitation requires valid authentication credentials to the ActiveMQ broker—an attacker cannot exploit this remotely without legitimate access. The attack surface is limited to authenticated sessions, which reduces immediate risk in well-secured environments with restricted broker access. However, insider threats or compromised application credentials that communicate with ActiveMQ would present a real exploitation path. No public exploit code has been disclosed, and the vulnerability does not appear on the CISA Known Exploited Vulnerabilities catalog as of the publication date.

Remediation

Upgrade Apache ActiveMQ to version 5.19.7 or later (for the 5.x line) or to version 6.2.6 or later (for the 6.x line). These versions contain the authorization fix. Before patching, apply compensating controls: restrict broker access to a minimal set of trusted applications and networks, enforce strong authentication, and audit destination management operations. Review access logs for any unauthorized deletion attempts.

Patch guidance

For 5.x deployments, upgrade directly to 5.19.7 or any later 5.x patch. For 6.x deployments, upgrade to 6.2.6 or later. Test patches in a non-production environment first, particularly if your applications depend on specific ActiveMQ behavioral characteristics. Verify against the official Apache ActiveMQ security advisory for any breaking changes or migration notes specific to your version jump. Rolling restarts of broker clusters should be coordinated to maintain availability during patching.

Detection guidance

Monitor ActiveMQ broker logs for destination deletion operations initiated by unexpected users or service accounts. Implement alerting on unsuccessful authorization attempts related to queue or topic management. Use JMX metrics to track destination lifecycle events (creation, deletion) and cross-reference them against your application's normal operations. In network monitoring, flag any unusual administrative commands to ActiveMQ from unexpected source IPs or applications. Organizations using SIEM solutions should create a correlation rule for destination deletion by low-privilege or guest accounts.

Why prioritize this

Although the CVSS score is medium (4.3), priority should be elevated if your organization's availability is business-critical or if ActiveMQ handles high-value workflows (payments, orders, notifications). Conversely, if ActiveMQ is used only for non-critical logging or internal metrics, patching can be scheduled normally. The lack of confidentiality or integrity impact means this is not an urgent data-security matter, but the availability component and the ease of exploitation by insiders warrant timely action within 30–60 days.

Risk score, explained

The CVSS 3.1 score of 4.3 (Medium) reflects a network-accessible service (AV:N) with low complexity (AC:L) that requires prior login (PR:L). The vector indicates no confidentiality loss (C:N), no integrity loss (I:N), but availability impact (A:L) when destinations are deleted. The score appropriately penalizes the requirement for authentication, which is a significant control. However, the severity should be contextualized: in environments where ActiveMQ processes mission-critical workflows or where credential compromise is plausible, practical risk may be higher.

Frequently asked questions

Do I need to be on the ActiveMQ network to exploit this?

No, but you do need valid credentials. The vulnerability is remotely exploitable over the network, but only if you have a legitimate username and password (or can obtain them through credential compromise or insider access).

Will this vulnerability cause data loss?

No. The vulnerability allows deletion of message destinations (queues and topics), not the data itself. However, deleting a destination disrupts message flow and can cause application failures. Recovered messages from persistence storage would need to be re-routed.

What versions of Apache ActiveMQ are safe?

ActiveMQ 5.19.7 and later (5.x line) and 6.2.6 and later (6.x line) contain the fix. If you are running 5.18.x or earlier, or 6.0.x through 6.2.5, you are affected.

Is there a workaround if I can't patch immediately?

Restrict network access to your ActiveMQ broker to only trusted applications and networks. Enforce strong authentication, use per-application credentials with minimal permissions, and monitor destination management operations closely. These are temporary measures; patching should be completed as soon as feasible.

This analysis is based on publicly available information and the official vulnerability description as of the publication date. Specific version numbers, patch availability, and CVSS scoring should be verified against the official Apache ActiveMQ security advisory and vendor guidance. SEC.co does not provide legal or compliance advice; organizations should assess their own risk posture and regulatory obligations. Patch testing should be performed in non-production environments before deployment to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).