Description
Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both:

- incoming Core protocol connections from untrusted sources to the broker

- outgoing Core protocol connections from the broker to untrusted targets

This issue affects:

- Apache Artemis from 2.50.0 through 2.51.0

- Apache ActiveMQ Artemis from 2.11.0 through 2.44.0.

Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue.

The issue can be mitigated by one of the following:

- Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core.

- Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.

- Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at  https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .
Published: 2026-03-04
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass permitting remote federation and potential message injection or exfiltration
Action: Immediate Patch
AI Analysis

Impact

Based on the description, it is inferred that an unauthenticated remote attacker can exploit a missing authentication check in Apache Artemis and the related ActiveMQ Artemis. By sending a specially crafted Core protocol request, the attacker can cause the broker to initiate an outbound federation connection to an attacker‑controlled rogue broker. Once the rogue broker is in place, the attacker may inject malicious messages into any queue or capture messages from any queue via the established federation link. The vulnerability stems from CWE‑306, a lack of authentication for a critical function, allowing unauthorized configuration changes to be executed.

Affected Systems

The flaw affects Apache Artemis versions 2.50.0 through 2.51.0 and Apache ActiveMQ Artemis versions 2.11.0 through 2.44.0. The issue arises in environments that accept Core protocol connections from untrusted sources and permit the broker to open Core connections to untrusted destinations. Administrators should verify the exact product and version deployed against these ranges.

Risk and Exploitability

Based on the CVSS score of 9.3, the vulnerability is rated as critical. The EPSS score of <1% suggests a very low but nonzero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, yet the high impact and authentication bypass nature warrant urgent attention. The likely attack vector is an unauthenticated attacker sending a Core protocol connect request to the broker, causing the broker to establish an outbound federation link to an attacker‑controlled rogue broker. Exploitation requires only that the broker accept inbound Core traffic from an unauthenticated attacker and that it is allowed to open outbound Core links; no additional privileges are needed beyond the broker’s normal operation.

Generated by OpenCVE AI on April 17, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided patch by upgrading to Apache Artemis 2.52.0 or later, which resolves the authentication bypass.
  • Disable Core protocol on acceptors that receive connections from untrusted sources; configure each acceptor’s "protocols" URL parameter to exclude Core or remove the default ‘artemis’ acceptor on port 61616.
  • Require two‑way SSL (certificate‑based authentication) for all clients so that the broker rejects unauthenticated connections before the Core protocol handshake and prevents federation link creation by attackers.

Generated by OpenCVE AI on April 17, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fw88-pf9m-p947 Apache Artemis and Apache ActiveMQ Artemis are Missing Authentication for Critical Functions
History

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by either of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by one of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability. - Implement and deploy a Core interceptor to deny all Core downstream federation connect packets. Such packets have a type of (int) -16 or (byte) 0xfffffff0. Documentation for interceptors is available at  https://artemis.apache.org/components/artemis/documentation/latest/intercepting-operations.html .

Wed, 11 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:artemis:2.50.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq Artemis
Apache artemis
Vendors & Products Apache
Apache activemq Artemis
Apache artemis

Wed, 04 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
References

Wed, 04 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

threat_severity

Important

Wed, 04 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
Description Missing Authentication for Critical Function (CWE-306) vulnerability in Apache Artemis, Apache ActiveMQ Artemis. An unauthenticated remote attacker can use the Core protocol to force a target broker to establish an outbound Core federation connection to an attacker-controlled rogue broker. This could potentially result in message injection into any queue and/or message exfiltration from any queue via the rogue broker. This impacts environments that allow both: - incoming Core protocol connections from untrusted sources to the broker - outgoing Core protocol connections from the broker to untrusted targets This issue affects: - Apache Artemis from 2.50.0 through 2.51.0 - Apache ActiveMQ Artemis from 2.11.0 through 2.44.0. Users are recommended to upgrade to Apache Artemis version 2.52.0, which fixes the issue. The issue can be mitigated by either of the following: - Remove Core protocol support from any acceptor receiving connections from untrusted sources. Incoming Core protocol connections are supported by default via the "artemis" acceptor listening on port 61616. See the "protocols" URL parameter configured for the acceptor. An acceptor URL without this parameter supports all protocols by default, including Core. - Use two-way SSL (i.e. certificate-based authentication) in order to force every client to present the proper SSL certificate when establishing a connection before any message protocol handshake is attempted. This will prevent unauthenticated exploitation of this vulnerability.
Title Apache Artemis, Apache ActiveMQ Artemis: Auth bypass for Core downstream federation
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L'}

Subscriptions

Apache Activemq Artemis Artemis
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-17T15:29:53.714Z

Reserved: 2026-02-19T16:10:53.921Z

Link: CVE-2026-27446

cve-icon Vulnrichment

Updated: 2026-03-05T04:33:58.767Z

cve-icon NVD

Status : Modified

Published: 2026-03-04T09:15:56.837

Modified: 2026-03-17T16:16:20.727

Link: CVE-2026-27446

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-04T06:06:00Z

Links: CVE-2026-27446 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses