CVE-2026-46605 - Vulnerability Details

- Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal

Description

Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions.

This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.

Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.

Published: 2026-06-01

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw consists of incomplete authorization checks during destination removal in Apache ActiveMQ. As a result, any authenticated user can delete existing queues or topics even when lacking proper rights, potentially disrupting message routing, causing data loss, or leading to denial of service.

Affected Systems

Affected products include Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ. The vulnerability is present in all releases older than 5.19.7 and older than 6.2.6, including versions from 6.0.0 until the specified limits.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, and the EPSS score of <1% suggests a low probability of exploitation. The flaw can be exercised by anyone who can authenticate to the broker, making it exploitable in environments where credentials are compromised or shared. Although the vulnerability is not listed in CISA’s KEV catalog, its impact on critical messaging services and the lack of strong authorization imply a high potential for exploitation if left unpatched.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache ActiveMQ Broker

unaffected

Version	Status	Constraints
`0`	affected	< 5.19.7
`6.0.0`	affected	< 6.2.6

Apache Software Foundation

Apache ActiveMQ All

unaffected

Version	Status	Constraints
`0`	affected	< 5.19.7
`6.0.0`	affected	< 6.2.6

Apache Software Foundation

Apache ActiveMQ

unaffected

Version	Status	Constraints
`0`	affected	< 5.19.7
`6.0.0`	affected	< 6.2.6

Configuration 1 [-]

OR	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq::::::::
	cpe:2.3:a:apache:activemq_broker::::::::
	cpe:2.3:a:apache:activemq_broker::::::::

No data.

Vendor Product Confidence Versions

Apache

Activemq

95%

Version	Status	Scheme	Platform
`[0,5.19.7)`	affected	generic	—
`[6.0.0,6.2.6)`	affected	semver	—

Apache

Activemq All

100%

Version	Status	Scheme	Platform
`[0,5.19.7)`	affected	generic	—
`[6.0.0,6.2.6)`	affected	semver	—

Apache

Activemq Broker

95%

Version	Status	Scheme	Platform
`[0,5.19.7)`	affected	generic	—
`[6.0.0,6.2.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Apache ActiveMQ v6.2.6 or v5.19.7 to apply the official fix.
If an upgrade cannot be performed immediately, restrict or disable destination deletion via JMX or web console configuration and enforce strict role‑based permissions to prevent unauthorized delete operations.
Block external access to management interfaces (JMX, web console, REST) from untrusted networks until the patch is applied to reduce the attack surface.

Generated by OpenCVE AI on June 1, 2026 at 16:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00335.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/31/20
https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm

History

Wed, 03 Jun 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache activemq All
Vendors & Products		Apache activemq All

Mon, 01 Jun 2026 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache activemq Apache activemq Broker
CPEs		cpe:2.3:a:apache:activemq:::::::: cpe:2.3:a:apache:activemq_broker::::::::
Vendors & Products		Apache Apache activemq Apache activemq Broker

Mon, 01 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 01 Jun 2026 09:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/31/20

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
Title		Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Incomplete authorization during destination removal
Weaknesses		CWE-285
References		https://lists.apache.org/thread/l4lxgr2s73g9pb218f180psfyskf8ldm

Subscriptions

Apache Activemq Activemq All Activemq Broker

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T07:21:13.148Z

Updated: 2026-06-01T14:44:50.457Z

Reserved: 2026-05-15T18:20:10.111Z

Link: CVE-2026-46605

Vulnrichment

Updated: 2026-06-01T07:48:00.286Z

NVD

Status : Analyzed

Published: 2026-06-01T09:16:19.827

Modified: 2026-06-01T17:07:51.933

Link: CVE-2026-46605

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T20:55:01Z

Weaknesses

CWE-285
Improper Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object