CVE-2026-49877
HighCVSS 8.1Exploitation Probability (EPSS)
Low risk40th percentile — higher than 40% of all known CVEs
Summary
An improper authorization vulnerability was found in Apache ActiveMQ. By default, an authenticated low-privilege Web Console user can access /admin/* paths, which should be restricted to admins. The issue is caused by incorrect default Jetty settings.
Risk Assessment
The organization is at risk of unauthorized access to the admin panel by regular users, potentially leading to privilege escalation and compromise of the message broker.
Recommendation
Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately to fix the vulnerability.
Original NVD description (English source)
Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

