Apache has disclosed a new high-severity vulnerability in Apache ActiveMQ, tracked as CVE-2026-49157, that allows authenticated low-privilege web users to perform administrative broker management operations via the Jolokia interface, which should be strictly restricted to administrator accounts.
The flaw stems from incorrect default permissions in the Jolokia JMX-HTTP bridge and affects all Apache ActiveMQ deployments running versions before 5.19.7 and from 6.0.0 through 6.2.5.
CVE-2026-49157 is classified as an Incorrect Default Permissions vulnerability in Apache ActiveMQ. The flaw was publicly disclosed on May 31, 2026, through the OSS Security mailing list by Christopher L.
Shannon of the Apache Software Foundation. It was credited to security researcher Leon Johnson (GitHub: lokerxx) as the finder.
The vulnerability targets the Jolokia JMX-HTTP bridge, a management interface that ActiveMQ exposes on the broker’s web console at /api/jolokia/.
Under the default Jolokia authorization configuration, non-admin (low-privilege) web-login accounts were incorrectly granted access to Jolokia operations, including sensitive broker management actions such as addQueue and removeQueue functions explicitly intended for privileged administrators only.
This means any user who can log in to the ActiveMQ web console, even with the most basic credentials, can manipulate core broker infrastructure without ever needing administrative rights.
In enterprise messaging environments, this level of unauthorized access can disrupt critical application workflows, delete message queues, or create new queues to intercept or redirect sensitive business data.
Affected Versions
The following Apache ActiveMQ releases are confirmed vulnerable:
- Apache ActiveMQ (
org.apache.activemq:apache-activemq) before 5.19.7 - Apache ActiveMQ (
org.apache.activemq:apache-activemq) 6.0.0 before 6.2.6
It is important to note that Apache ActiveMQ Artemis (the next-generation broker) is not affected by this vulnerability. Organizations running only the Artemis branch can confirm they are outside the risk scope. However, those running Apache ActiveMQ Classic in any of the above version ranges should treat this disclosure as urgent.
This is not the first time Apache ActiveMQ’s Jolokia integration has become a focal point for security research. Earlier in 2026, a related and more severe vulnerability.
CVE-2026-34197 (CVSS 8.8 High), was disclosed, allowing authenticated users to achieve full remote code execution (RCE) on the broker’s JVM by invoking the addNetworkConnector management operation with a crafted discovery URI that loads a remote Spring XML application context via ResourceXmlApplicationContext.
That vulnerability was subsequently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
CVE-2026-49157 compounds this risk by establishing that the Jolokia authorization model itself contains endemic design-level weaknesses in how permissions are assigned by default.
Whereas CVE-2026-34197 enabled code execution through crafted input, CVE-2026-49157 enables privilege abuse through incorrect access control configuration, both rooted in the same over-permissive Jolokia access policy.
Security researchers at Horizon3.ai and CyCognito have observed that environments running older versions of ActiveMQ Classic (6.0.0–6.1.1) are at compounded risk because CVE-2024-32114 also inadvertently exposes the Jolokia API without authentication, effectively making CVE-2026-49157 exploitable by entirely unauthenticated attackers on those versions.
Apache ActiveMQ is one of the most widely deployed open-source message brokers in enterprise environments, functioning as the messaging backbone for financial services, healthcare platforms, e-commerce systems, and cloud-native microservices architectures.
The ability for a low-privilege web user to invoke addQueue and removeQueue operations translates directly to real-world risk: attackers can silently remove message queues to cause application downtime.
Create rogue queues to intercept business-critical messages, or use broker management operations as a foothold for lateral movement within an organization’s infrastructure.
The vulnerability is rated Important in severity by Apache, not Critical, because exploitation requires a valid authenticated session (even low-privilege). However, in environments where default credentials are in use, this barrier is trivially bypassed, making the effective risk substantially higher than the classification may suggest.
Mitigation
Apache has released fixed versions addressing CVE-2026-49157. Users are strongly recommended to upgrade immediately to one of the following patched releases:
- Apache ActiveMQ 5.19.7 (for 5.x branch users)
- Apache ActiveMQ 6.2.6 (for 6.x branch users)
Where immediate patching is not feasible, organizations should harden their Jolokia configuration by restricting access to prevent non-admin users from performing broker management operations.
Access to the /api/jolokia/ endpoint and the web console on port 8161 should be limited to trusted management networks and protected by strong, non-default authentication credentials.
Additionally, organizations should audit existing web console user accounts to ensure no low-privilege accounts carry unintended access to Jolokia exec operations.
Monitoring broker logs for unexpected queue creation or deletion activity and network connector changes remains an important detection strategy, particularly for organizations that cannot patch immediately.
FAQ
Q1: What is CVE-2026-49157 in Apache ActiveMQ?
CVE-2026-49157 is an Incorrect Default Permissions flaw allowing low-privilege ActiveMQ web users to invoke admin-only Jolokia broker operations like addQueue and removeQueue.
Q2: Which Apache ActiveMQ versions are affected by CVE-2026-49157?
All Apache ActiveMQ Classic versions before 5.19.7 and versions 6.0.0 through 6.2.5 are vulnerable; ActiveMQ Artemis is not affected.
Q3: How should organizations fix the CVE-2026-49157 vulnerability?
Upgrade to Apache ActiveMQ 5.19.7 or 6.2.6, restrict access to the Jolokia endpoint, and replace the default credentials with strong authentication immediately.
Q4: Is CVE-2026-49157 related to the earlier CVE-2026-34197 Apache ActiveMQ RCE flaw?
Both vulnerabilities share the same root cause: overly permissive Jolokia default settings, but CVE-2026-34197 enables RCE, while CVE-2026-49157 enables low-privilege users to manage brokers.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
