{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-49157", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-05-27T21:28:11.005Z", "datePublished": "2026-06-01T07:20:10.862Z", "dateUpdated": "2026-06-01T14:42:33.386Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.activemq:apache-activemq", "product": "Apache ActiveMQ", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "5.19.7", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "6.2.6", "status": "affected", "version": "6.0.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Leon Johnson (github: lokerxx)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Incorrect Default Permissions vulnerability in Apache ActiveMQ.</p><p>This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.</p><p>The default Jolokia authorization settings granted&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">non-admin (low-privilege) web-login accounts</span>&nbsp;access to Jolokia operations which allowed executing broker management operations meant for admins such as <code>addQueue</code> and <code>removeQueue</code>.</p><p>Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.</p>"}], "value": "Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-01T07:20:10.862Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/31/21"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-01T07:48:06.780Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-06-01T14:42:18.312516Z", "id": "CVE-2026-49157", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T14:42:33.386Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/05/31/21"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-06-01T07:48:06.780Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-49157", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-06-01T14:42:18.312516Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-01T14:42:08.518Z"}}], "cna": {"title": "Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Leon Johnson (github: lokerxx)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache ActiveMQ", "versions": [{"status": "affected", "version": "0", "lessThan": "5.19.7", "versionType": "semver"}, {"status": "affected", "version": "6.0.0", "lessThan": "6.2.6", "versionType": "semver"}], "packageName": "org.apache.activemq:apache-activemq", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Incorrect Default Permissions vulnerability in Apache ActiveMQ.</p><p>This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.</p><p>The default Jolokia authorization settings granted&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">non-admin (low-privilege) web-login accounts</span>&nbsp;access to Jolokia operations which allowed executing broker management operations meant for admins such as <code>addQueue</code> and <code>removeQueue</code>.</p><p>Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-06-01T07:20:10.862Z"}}}, "cveMetadata": {"cveId": "CVE-2026-49157", "state": "PUBLISHED", "dateUpdated": "2026-06-01T14:42:33.386Z", "dateReserved": "2026-05-27T21:28:11.005Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-06-01T07:20:10.862Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "793E68E6-9024-4518-B062-42B2DE5BB555", "versionEndExcluding": "5.19.7", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:activemq:*:*:*:*:*:*:*:*", "matchCriteriaId": "FFF44DB9-1850-4B5F-AD0F-55CB5219AB22", "versionEndExcluding": "6.2.6", "versionStartIncluding": "6.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Apache ActiveMQ.\n\nThis issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6.\n\nThe default Jolokia authorization settings granted\u00a0non-admin (low-privilege) web-login accounts\u00a0access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue.\n\nUsers are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue."}], "id": "CVE-2026-49157", "lastModified": "2026-06-01T17:09:59.100", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-06-01T09:16:20.427", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/rrcsf6s90hj4tdh89nvkko75q5505rj8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/05/31/21"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security@apache.org", "type": "Secondary"}]}

{}