HIGH 8.8

CVE-2026-49157: Apache ActiveMQ Jolokia Authorization Bypass Allows Privilege Escalation

Apache ActiveMQ contains a permissions misconfiguration in its Jolokia interface that allows low-privilege web users to perform high-level broker management operations. Specifically, non-admin accounts can execute commands like addQueue and removeQueue that should be restricted to administrators only. This violates the principle of least privilege and can lead to unauthorized service disruption or configuration tampering. Affected versions are ActiveMQ 5.x before 5.19.7 and 6.x before 6.2.6.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-276
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49157 stems from incorrect default authorization rules in the Jolokia interface integrated into Apache ActiveMQ. The vulnerability maps to CWE-276 (Incorrect Default Permissions). When Jolokia is enabled—which provides JMX access over HTTP—the default security configuration fails to restrict broker management operations to admin-level principals. This allows authenticated but unprivileged web users to invoke operations such as addQueue and removeQueue on the broker, effectively gaining administrative capabilities without proper authorization checks. The CVSS 3.1 vector (8.8 HIGH) reflects network accessibility, low attack complexity, low privileges required, and high impact across confidentiality, integrity, and availability.

Business impact

This vulnerability poses a direct threat to ActiveMQ deployment stability and operational security. An attacker with any valid web-login credential—even a low-privilege account created for limited purposes—can reconfigure broker queues, potentially disrupting message flows, deleting critical queues, or creating malicious ones to intercept messages. In environments where ActiveMQ is central to order processing, financial transactions, or real-time communications, unauthorized queue manipulation could cause service downtime, data loss, or message theft. The ability to execute broker management operations also creates audit and compliance risks, as unauthorized configuration changes may violate regulatory requirements.

Affected systems

Apache ActiveMQ versions 5.x up to and including 5.19.6, and all 6.x versions up to and including 6.2.5 are vulnerable. Organizations running ActiveMQ with Jolokia enabled (a common configuration for remote monitoring and management) and with multiple user accounts at varying privilege levels face the highest risk. Virtual and containerized deployments, cloud-hosted message brokers, and hybrid message queue architectures are equally exposed if they use these versions.

Exploitability

Exploitation requires only network access to the Jolokia HTTP endpoint and a valid low-privilege web-login credential. No special tools or complex attack chains are needed—the vulnerability is easily reachable through standard HTTP requests once a user is authenticated. The CVSS metric 'AC:L' (attack complexity low) and 'PR:L' (privileges low) underscore this. However, the vulnerability does require prior knowledge of valid credentials, which typically exists only within an organization or in scenarios where account provisioning is overly permissive. It is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but the straightforward nature of the flaw makes it a natural target for both targeted insider threats and opportunistic external attackers who obtain credentials through phishing or other means.

Remediation

Upgrade Apache ActiveMQ to version 5.19.7 or later (for 5.x users) or version 6.2.6 or later (for 6.x users). These releases correct the default Jolokia authorization policy to properly enforce admin-only restrictions on broker management operations. If immediate upgrades are not feasible, restrict network access to the Jolokia endpoint using firewall rules, VPNs, or reverse proxies; disable Jolokia if it is not actively needed; and audit all web-login accounts to ensure only trusted administrators have access. Additionally, review and restrict the use of low-privilege accounts to only the minimum necessary permissions within your infrastructure.

Patch guidance

Verify the availability of ActiveMQ 5.19.7 or 6.2.6 (or later) through the official Apache ActiveMQ release page and your organization's software repository. Plan patching in coordination with your message broker maintenance windows to minimize disruption. For containerized deployments, rebuild images with the patched version and redeploy. For clustered ActiveMQ topologies, coordinate rolling updates to maintain availability. After patching, validate that Jolokia authorization rules are correctly enforced by testing with low-privilege accounts to confirm they can no longer execute broker management operations. Document the patch date and version for compliance and audit trails.

Detection guidance

Monitor Jolokia HTTP logs for calls to the addQueue, removeQueue, or other broker management methods originating from non-admin user sessions. Enable authentication and HTTP access logging on the Jolokia endpoint if not already active. Look for repeated or anomalous queue creation/deletion patterns, failed authorization attempts, or queue operations outside normal maintenance windows. In environments with centralized security logging, correlate Jolokia operation logs with user identity and privilege level. Implement alerting on any invocation of administrative broker operations by low-privilege accounts. Periodic audits of queue configuration against known baseline states can reveal unauthorized changes made through this vulnerability.

Why prioritize this

Although not yet in the KEV catalog, this vulnerability merits urgent remediation due to its high CVSS score (8.8), low barrier to exploitation, and direct impact on broker operations and message integrity. The requirement for valid credentials introduces some gating, but the ease of exploitation once credentials are obtained and the potential for severe operational disruption make it a priority above medium-risk issues. Organizations with strict message flow dependencies, compliance mandates, or multi-tenant ActiveMQ deployments should prioritize this fix within their critical patch cycle.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: (1) Network-accessible Jolokia endpoint (AV:N), (2) low attack complexity with standard HTTP calls (AC:L), (3) requirement for low-level authenticated access (PR:L), (4) no user interaction needed (UI:N), (5) impact confined to a single system (S:U), and (6) high impact on all three security properties—an attacker can read broker state (confidentiality), modify queue configurations (integrity), and disable or degrade message processing (availability). The score appropriately captures the severity, though real-world risk depends on credential distribution and network segmentation in your environment.

Frequently asked questions

Do we need to upgrade if Jolokia is disabled in our ActiveMQ configuration?

If you have explicitly disabled the Jolokia interface or do not expose it on the network, the risk from CVE-2026-49157 is substantially reduced. However, we recommend upgrading anyway as a defense-in-depth measure, especially if there is any possibility of Jolokia being re-enabled in the future or if you use managed ActiveMQ services where the feature state may not be fully visible to you.

Can we mitigate this vulnerability without patching?

Partial mitigation is possible through network controls: restrict access to the Jolokia HTTP port to only admin IP ranges, disable Jolokia if it is not actively used, and limit the creation of low-privilege accounts to those absolutely necessary. However, these are workarounds, not fixes. An attacker with network access to Jolokia and any valid credential will still be able to exploit the misconfigured authorization. Patching is the proper remediation.

How can we verify the vulnerability is fixed after patching?

After upgrading to the patched version, log in with a low-privilege test account and attempt to invoke Jolokia operations like addQueue. The operation should be rejected with an authorization error. Additionally, review the Jolokia configuration and logs to confirm that the authorization policy now correctly enforces admin-only restrictions. Your vendor's release notes or security advisory will document the specific authorization changes made in the patched version.

Is this vulnerability exploitable over the internet?

Yes, if your ActiveMQ Jolokia endpoint is exposed to the internet and valid credentials are known or compromised. The CVSS vector AV:N indicates network accessibility. Many organizations inadvertently expose management interfaces due to misconfigured firewalls or cloud security groups. Audit your network perimeter to confirm that Jolokia is not reachable from untrusted networks.

This analysis is provided for informational and defensive security purposes only. SEC.co makes no warranty regarding the accuracy or completeness of this information and assumes no liability for its use. Readers are responsible for verifying all patch versions, vendor advisories, and compatibility considerations with their environment before implementing any changes. No information herein constitutes legal or compliance advice; consult your legal and compliance teams regarding regulatory obligations related to this vulnerability. Exploit code or detailed attack methodologies are not provided in this document. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).