Description
An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved.
Published: 2026-03-05
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Read with potential Remote Code Execution
Action: Patch Now
AI Analysis

Impact

This vulnerability arises from unsafe parsing of OpenMQ’s configuration, permitting an attacker to read arbitrary files on the broker’s host operating system. The flaw enables path traversal, allowing access to files outside the intended configuration directory. A full exploitation could leak sensitive data, and in certain scenarios remote code execution may be achieved.

Affected Systems

The affected product is Eclipse OpenMQ from Eclipse Foundation. Specific version information is not provided in the CVE data, so any deployment using OpenMQ should review its current version against the vendor’s advisories.

Risk and Exploitability

With a CVSS score of 9.1, the vulnerability is considered severe. The EPSS score of less than 1% indicates a low estimated probability of exploitation at this time, and it is not listed in the CISA KEV catalog. The likely attack vector is remote, via the OpenMQ configuration interface, and any attacker who can send crafted configuration data can read arbitrary files or potentially execute code depending on the environment.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest official OpenMQ patch or upgrade to a supported version that addresses the unsafe configuration parsing flaw.
  • Restrict network access to the OpenMQ management endpoint using firewall rules or VPNs so that only trusted hosts can modify configuration.
  • Enforce strict validation on the configuration parser to prevent path traversal and reject any request that attempts to access files outside the allowed directory structure.

Generated by OpenCVE AI on April 16, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Title OpenMQ Unsafe Configuration Parsing Enables Remote File Read and Potential RCE

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eclipse:open_message_queue:*:*:*:*:*:*:*:* cpe:2.3:a:eclipse:openmq:*:*:*:*:*:*:*:*
Vendors & Products Eclipse open Message Queue

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse open Message Queue
CPEs cpe:2.3:a:eclipse:open_message_queue:*:*:*:*:*:*:*:*
Vendors & Products Eclipse open Message Queue

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse openmq
Vendors & Products Eclipse
Eclipse openmq

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description An unsafe parsing of OpenMQ's configuration, allows a remote attacker to read arbitrary files from a MQ Broker's server. A full exploitation could read unauthorized files of the OpenMQ’s host OS. In some scenarios RCE could be achieved.
Weaknesses CWE-22
CWE-27
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Subscriptions

Eclipse Openmq
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-03-06T16:11:32.915Z

Reserved: 2026-01-23T11:07:26.456Z

Link: CVE-2026-24457

cve-icon Vulnrichment

Updated: 2026-03-06T16:00:32.917Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:02.780

Modified: 2026-04-15T13:30:43.413

Link: CVE-2026-24457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:30:06Z

Weaknesses