CVE Catalog

CVE-2026-49877

HighCVSS 8.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.51%

40th percentile — higher than 40% of all known CVEs

Summary

An improper authorization vulnerability was found in Apache ActiveMQ. By default, an authenticated low-privilege Web Console user can access /admin/* paths, which should be restricted to admins. The issue is caused by incorrect default Jetty settings.

Risk Assessment

The organization is at risk of unauthorized access to the admin panel by regular users, potentially leading to privilege escalation and compromise of the message broker.

Recommendation

Upgrade Apache ActiveMQ to version 5.19.8 or 6.2.7 immediately to fix the vulnerability.

Original NVD description (English source)

Improper Authorization vulnerability in Apache ActiveMQ. An authenticated low-privilege Web Console user by default can access /admin/* paths in the Web Console. The default Jetty settings incorrectly did not limit those paths to only admins. This issue affects Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7 or 5.19.8, which fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS