SB20260604103 - Improper access control in Apache ActiveMQ Artemis

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2026-40914)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass authorization checks on address routing-type restrictions.

The vulnerability exists due to improper access control in the STOMP protocol address handling when processing STOMP operations on an address with send or consume permissions but without createAddress permission. A remote user can send crafted STOMP operations to augment the routing-type supported by an address to bypass authorization checks on address routing-type restrictions.

This can allow message send or consume operations to succeed with a routing-type not supported by the corresponding address when those operations should be rejected.

Remediation

Install update from vendor's website.

References

• https://lists.apache.org/api/email.lua?id=sk5s6m37txbljgdcnhgqo5d4bfp2c1xd
• https://issues.apache.org/jira/browse/ARTEMIS-5996