MEDIUM 5.9

CVE-2026-49270: Apache ActiveMQ Durable Subscription Metadata Disclosure

Apache ActiveMQ brokers with network connectors configured to sync durable subscriptions are leaking sensitive metadata to unauthenticated attackers. An attacker can request a complete list of durable topic subscriptions, including client IDs, subscription names, destination topics, and JMS selector expressions—all without needing to authenticate. This occurs because the broker responds to BrokerInfo commands before validating the connection's authentication status.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-1230
Affected products
2 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49270 is an information disclosure vulnerability in Apache ActiveMQ where brokers configured with syncDurableSubs=true in network connector settings fail to enforce authentication checks before responding to BrokerInfo commands. An unauthenticated remote attacker can exploit this to enumerate all durable topic subscriptions and associated metadata. The vulnerability affects ActiveMQ versions before 5.19.7 and 6.0.0 through 6.2.5. The root cause is improper access control at the protocol handler level—the broker should validate peer authentication before exposing subscription metadata, regardless of network topology.

Business impact

Durable subscription metadata exposes business logic and client topology. Subscription names, JMS selectors, and destination mappings often encode application architecture and data flow patterns. Competitors or malicious actors could map your event-driven infrastructure, identify high-value data streams, or craft targeted attacks on known subscribers. For compliance-sensitive organizations (finance, healthcare), disclosure of subscription details tied to client identifiers may trigger data protection incidents. The impact is primarily confidentiality; no data corruption or denial of service occurs.

Affected systems

Affected versions: Apache ActiveMQ (all products) before 5.19.7, and 6.0.0 through 6.2.5. The vulnerability is present only on brokers where a network connector is explicitly configured with syncDurableSubs=true. Brokers without network connectors, or with syncDurableSubs=false (the default), are not vulnerable. Check your broker configuration files (activemq.xml) for network connector definitions with this setting enabled.

Exploitability

Exploitability is moderate. The attack requires network access to the broker's OpenWire protocol port (default 61616) and knowledge that syncDurableSubs is enabled, but no authentication credentials. The CVSS score of 5.9 reflects high confidentiality impact offset by higher complexity (AC:H) due to configuration preconditions. No user interaction is needed, and the attack is reliable once the precondition is met. Public exploits are not yet known to be weaponized, but the simplicity of sending a crafted BrokerInfo command means exploitation barriers are low.

Remediation

Upgrade ActiveMQ to version 5.19.7 or 6.2.6 or later, which enforce authentication validation before exposing subscription metadata. If immediate patching is not feasible, disable syncDurableSubs on network connectors, or restrict network connector listening to trusted internal networks only. Review broker logs and network flow for unauthenticated BrokerInfo commands from suspicious sources.

Patch guidance

Apply the fix by upgrading to Apache ActiveMQ 5.19.7 (for the 5.x line) or 6.2.6 (for the 6.x line) or newer. Verify the patch by checking the version string post-upgrade. Test in a staging environment to confirm broker connectivity and durable subscription functionality remain intact. No configuration changes are required after patching; the authentication check is applied transparently.

Detection guidance

Monitor for unauthenticated BrokerInfo commands on the OpenWire port (61616 by default). Enable debug-level logging in ActiveMQ and search for BrokerInfo messages from unknown peers or repeated enumeration attempts. Network IDS rules should flag multiple BrokerInfo requests from a single source that do not authenticate. Check broker configuration to identify which systems have syncDurableSubs=true and assess whether they are exposed to untrusted networks.

Why prioritize this

This vulnerability merits prompt attention despite a medium CVSS score because (1) durable subscription metadata is a valuable reconnaissance target for attackers planning supply-chain or infrastructure attacks, (2) the configuration condition is often overlooked, making it likely present in many deployments, and (3) the fix is straightforward and low-risk. Organizations running event-driven or message-intensive applications should prioritize remediation.

Risk score, explained

The CVSS 3.1 score of 5.9 (MEDIUM) reflects: Attack Vector=Network (full remote reach), Attack Complexity=High (requires syncDurableSubs configuration), Privileges Required=None (unauthenticated), User Interaction=None (automated attack), Scope=Unchanged, Confidentiality Impact=High (full subscription metadata leaked), Integrity Impact=None, Availability Impact=None. The high complexity penalty applies because the vulnerability depends on a specific, non-default configuration choice. In practice, organizations where this setting is enabled should treat the risk as elevated relative to the base CVSS.

Frequently asked questions

How do I know if my broker is vulnerable?

Check your activemq.xml configuration file for any <networkConnector> elements that include syncDurableSubs="true". If such a connector exists and your broker is running version 5.19.6 or earlier, or 6.0.0 through 6.2.5, you are vulnerable. Vulnerable brokers exposed to untrusted networks require immediate attention.

What exactly is exposed if an attacker exploits this?

An attacker receives a complete list of all durable topic subscriptions, including: client identifiers (typically application names or instance IDs), subscription names, JMS destination topics, and JMS selector expressions (which filter which messages each subscriber receives). This metadata alone does not expose message content, but it reveals your event architecture and client topology.

Is this vulnerability actively exploited in the wild?

As of the advisory publication date, there is no indication this vulnerability has been added to public exploit databases or used in active campaigns. However, the simplicity of the attack means that opportunistic exploitation is likely once the vulnerability becomes widely known.

Can I mitigate without upgrading immediately?

Yes, disable syncDurableSubs on network connectors, or restrict network connectors to listen only on trusted internal networks. This reduces attack surface while you plan patching. However, these are temporary workarounds; upgrading is the permanent fix.

This analysis is based on the CVE advisory published on 2026-06-01 and modified 2026-06-17. CVSS scores and affected version ranges are sourced from the official CVE record. Verify patch availability and version numbers against Apache ActiveMQ's official security advisories before deploying updates. This vulnerability does not appear on the CISA KEV catalog as of the analysis date, but organizations should not delay remediation pending KEV inclusion. Test all patches in a non-production environment first. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).