This vulnerability arises from Apache ActiveMQ’s default permission settings, which grant low‑privilege web users access to Jolokia broker‑management operations such as adding or removing queues. The primary impact is that an authenticated non‑admin user can alter critical broker configuration through the Jolokia endpoint, potentially causing denial of service or other disruptive actions. The weakness is a misconfigured authority rule (CWE‑276).

Apache ActiveMQ installations prior to 5.19.7 and any 6.x build before 6.2.6 are affected. These versions include the default Jolokia authorization module that does not restrict non‑admin logins from broker‑management tasks, so any system running one of these builds is vulnerable.

The likely attack vector involves an authenticated web login to the ActiveMQ web console, followed by Jolokia calls to broker‑management endpoints; this inference is drawn from the description that low‑privilege users can perform admin operations. Once logged in, an attacker can send Jolokia requests to add or remove queues. The CVSS score of 8.8 reflects high severity, and the EPSS score of < 1 % indicates a low probability of exploitation at this time, but the vulnerability remains serious because the default Jolokia endpoint is openly accessible. The issue is not listed in CISA’s KEV catalog. Until an upgrade or configuration change is applied, the vulnerability is still exploitable.