Description
Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed.

This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.53.0, which fixes the issue.
Published: 2026-03-24
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Privacy and Authorization Bypass
Action: Update Immediately
AI Analysis

Impact

An incorrect authorization flaw allows an authenticated user who has permission to create durable queues to circumvent the absence of createAddress rights when attempting to create a temporary JMS topic subscription via the OpenWire protocol. The result is that a temporary address is created automatically, thereby permitting the user to subscribe to (and potentially read from) a resource they should not be able to access. This unauthorized creation violates the intended access controls and may expose sensitive messaging data.

Affected Systems

Apache Software Foundation products Apache Artemis and Apache ActiveMQ Artemis are affected. Vulnerable releases span Apache Artemis 2.50.0 through 2.52.0 and Apache ActiveMQ Artemis 2.0.0 through 2.44.0. All editions of these products deployed in environments where OpenWire connections are enabled fall under the scope.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation. The vulnerability is not included in CISA’s Known Exploited Vulnerabilities list. Exploitation would require an authenticated OpenWire client with createDurableQueue privileges but lacking createAddress rights. The condition that address auto‑creation is disabled is already met in the affected configuration. While the attack surface is narrow, the potential for unauthorized access to message topics warrants timely remediation.

Generated by OpenCVE AI on March 30, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Artemis and Apache ActiveMQ Artemis to at least version 2.53.0, the first release that includes the fix for the authorization bypass.

Generated by OpenCVE AI on March 30, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f4gc-mwrg-q36r Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol
History

Mon, 30 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:artemis:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

threat_severity

Moderate

Tue, 24 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq Artemis
Apache artemis
Vendors & Products Apache
Apache activemq Artemis
Apache artemis

Tue, 24 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
References

Tue, 24 Mar 2026 08:15:00 +0000

Type Values Removed Values Added
Description Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription should instead fail since the user is not authorized to create the corresponding address. When the OpenWire connection is closed the address is removed. This issue affects Apache Artemis: from 2.50.0 through 2.52.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.53.0, which fixes the issue.
Title Apache Artemis, Apache ActiveMQ Artemis: Temporary address auto-created for OpenWire consumer without createAddress permission
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Apache Activemq Artemis Artemis
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-03-24T14:13:23.718Z

Reserved: 2026-03-12T16:06:20.022Z

Link: CVE-2026-32642

cve-icon Vulnrichment

Updated: 2026-03-24T08:18:48.283Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T08:16:01.430

Modified: 2026-03-30T14:24:59.710

Link: CVE-2026-32642

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T07:53:44Z

Links: CVE-2026-32642 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:10Z

Weaknesses