CVE-2026-46605
MEDIUM 4.3Incomplete authorization by Apache ActiveMQ server before versions v6.2.6 and v5.19.7 allows authenticated connections to remove existing destinations with proper permissions. This issue affects Apache ActiveMQ Broker: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ All: before 5.19.7, from 6.0.0 before 6.2.6; Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. Users are recommended to upgrade to version v6.2.6 or v5.19.7, which fixes the issue.
No known exploitation, public exploit, or elevated probability at this time. Track for changes.
Exploitation likelihood
0.3%chance of exploitation in 30 days · 25th percentile
Impact if exploited
4.3CVSS 3.1 · MEDIUM
- ConfidentialityNone
- IntegrityNone
- AvailabilityLow
What an attacker needs
- ✓Access: Reachable over the network — no local access needed
- ⚠Privileges: Requires a low-privilege account
- ✓User interaction: No user interaction needed
- ✓Complexity: No special conditions — reliably repeatable
✓ lowers the bar for an attacker · ⚠ raises it
Affected
Vendors Apache Software Foundation
Products Apache Activemq Broker Apache Activemq All Apache Activemq
Weakness (CWE)
- CWE-285
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L