Missing Authorization in ActiveMQ - CVE-2026-54475

 

Missing Authorization in ActiveMQ - CVE-2026-54475

Published: July 1, 2026


Vulnerability identifier: #VU136625
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-54475
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Apache Foundation
Affected software:
ActiveMQ

Detailed vulnerability description

The vulnerability allows a remote user to consume messages from another connection's temporary destination.

The vulnerability exists due to improper access control in temporary destination ownership enforcement when handling access to temporary destinations. A remote user can use a different connection to consume from another connection's temporary destination to consume messages from another connection's temporary destination.

The isolation of temporary destinations is only checked in the client.


How to mitigate CVE-2026-54475

Install security update from vendor's website.

Sources