An authenticated low‑privilege user of the ActiveMQ Web Console can access administrative paths (/admin/*) that are intended for administrators only. The flaw is caused by Jetty’s default configuration, which does not enforce the proper authorization policy, permitting unauthorized privilege escalation. The vulnerability is classified as CWE‑285, reflecting an improper use of privileges. The consequence is that an attacker who can log in through the web console, even with limited rights, gains the ability to perform potentially dangerous management operations on the broker, thereby compromising system integrity and possibly availability.

This issue affects Apache ActiveMQ versions before 5.19.8 and before 6.2.7. The affected products are Apache ActiveMQ Web Console deployments that rely on the default Jetty configuration and have not applied the cited version updates.

The likely attack vector is authenticating through the web console with a low‑privilege account and then accessing the /admin/* paths, which the default configuration permits. The CVSS score of 8.1 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that widespread exploitation has not been documented. Nonetheless, because the exploit requires only an authenticated account and provides unrestricted broker control, the risk remains significant for environments where the console is accessible from untrusted networks.