MEDIUM🇵🇱 Wersja polska

CVE-2026-49270

CVSS 5.9v3.1pub. 2026-06-01

Exposure of Sensitive Information Through Metadata vulnerability in Apache ActiveMQ Broker, Apache ActiveMQ, Apache ActiveMQ All. Brokers that are configured with a network connector with syncDurableSubs set to true, are vulnerable to an unauthenticated attacker who can receive a list of all durable topic subscriptions in the broker, including client identifiers, subscription names, topic destinations, and JMS selector expressions, by sending a BrokerInfo command. The broker incorrectly responds without first ensuring the connection is authenticated. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Apache Activemq

    APP
    Apache
    < 5.19.76.0.0 – 6.2.6 (bez)
  • Apache Activemq Broker

    APP
    Apache
    < 5.19.76.0.0 – 6.2.6 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2023-46604CRITICAL10.0⚠ KEVten sam produkt

The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a ...

CVE-2016-3088CRITICAL9.8⚠ KEVten sam produkt

The Fileserver web application in Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and exec...

CVE-2020-11998CRITICAL9.8ten sam produkt

A regression has been introduced in the commit preventing JMX re-bind. By passing an empty environment map to ...

CVE-2013-7285CRITICAL9.8ten sam produkt

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may a...

CVE-2014-3600CRITICAL9.8ten sam produkt

XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have u...