Description
Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ.

Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary
destination.
This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7.

Users are recommended to upgrade to version 6.2.7, which fixes the issue.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache ActiveMQ allows temporary destinations, which are intended to be private to the connection that created them. This vulnerability permits another connection to consume messages from a temporary destination of a different client, effectively bypassing the intended isolation and granting unauthorized read access to messages. The weakness lies in missing authorization checks for temporary destination access.

Affected Systems

The flaw exists in Apache ActiveMQ Broker releases prior to 5.19.8 and prior to 6.2.7 of the 6.x series, as well as in Apache ActiveMQ All and Apache ActiveMQ Classic versions before 5.19.8 and before 6.2.7. Systems running any of these affected editions are vulnerable.

Risk and Exploitability

There is no EPSS score available and the vulnerability is not listed in CISA's KEV catalog, indicating limited publicly known exploitation. The attack would require an adversary to establish an additional connection to the same broker instance, so the practical exploitability depends on network access to the broker. In the absence of a published exploit, the risk is moderate for environments that allow unauthenticated or poorly authenticated connections.

Generated by OpenCVE AI on June 30, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache ActiveMQ 6.2.7 or newer, or to 5.19.8 if your deployment uses the older series
  • Ensure that only authenticated users connect to the broker or restrict temporary destination creation to privileged connections
  • Monitor broker logs for unusual temporary destination consumption patterns

Generated by OpenCVE AI on June 30, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ. Apache ActiveMQ Classic temporary destinations are expected to be isolated to the connection that created them. The isolation can be broken as this is only checked in the client, allowing a different connection to consume from another connection's temporary destination. This issue affects Apache ActiveMQ Broker: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ All: before 5.19.8, from 6.0.0 before 6.2.7; Apache ActiveMQ: before 5.19.8, from 6.0.0 before 6.2.7. Users are recommended to upgrade to version 6.2.7, which fixes the issue.
Title Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ: Temporary destination ownership takeover
Weaknesses CWE-862
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T14:52:25.352Z

Reserved: 2026-06-15T16:52:41.340Z

Link: CVE-2026-54475

cve-icon Vulnrichment

Updated: 2026-06-30T11:06:25.154Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T11:30:04Z

Weaknesses