Improper Authorization in ActiveMQ - CVE-2026-49877
Published: July 1, 2026
ActiveMQ
Detailed vulnerability description
The vulnerability allows a remote user to access administrative functionality.
The vulnerability exists due to improper authorization in the Web Console /admin/* paths when handling requests from authenticated low-privilege Web Console users. A remote user can access /admin/* paths to access administrative functionality.
The issue is caused by default Jetty settings that do not restrict those paths to administrators only.